From 6f3291144e6762b429837311fd6a2436b1c94e9d Mon Sep 17 00:00:00 2001 From: Alberto Marin Date: Mon, 25 Jun 2018 07:02:30 -0700 Subject: [PATCH] Remove Audit rules on Linux when the agent gets stopped --- src/syscheckd/run_check.c | 2 +- src/syscheckd/run_realtime.c | 2 ++ src/syscheckd/syscheck.h | 3 ++- src/syscheckd/syscheck_audit.c | 11 +++++------ 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c index 0ec202d2bc0..5339538a92e 100644 --- a/src/syscheckd/run_check.c +++ b/src/syscheckd/run_check.c @@ -130,7 +130,7 @@ void start_daemon() if (audit_socket > 0) { mdebug1("Starting Auditd events reader thread..."); audit_added_rules = W_Vector_init(10); - atexit(StopAuditThread); + atexit(clean_rules); w_create_thread(audit_main, &audit_socket); } else { merror("Cannot start Audit events reader thread."); diff --git a/src/syscheckd/run_realtime.c b/src/syscheckd/run_realtime.c index e2a47ae12e3..2d6b386af7e 100644 --- a/src/syscheckd/run_realtime.c +++ b/src/syscheckd/run_realtime.c @@ -234,7 +234,9 @@ int realtime_adddir(const char *dir, __attribute__((unused)) int whodata) merror("Error adding Audit rule for %s : %i", dir, retval); } else { // Save dir into saved rules list + w_mutex_lock(&syscheck_mutex); W_Vector_insert(audit_added_rules, dir); + w_mutex_unlock(&syscheck_mutex); } } else { diff --git a/src/syscheckd/syscheck.h b/src/syscheckd/syscheck.h index fd90e463735..ca9691aaf2b 100644 --- a/src/syscheckd/syscheck.h +++ b/src/syscheckd/syscheck.h @@ -77,6 +77,7 @@ const char* get_group(int gid); int realtime_checksumfile(const char *file_name, whodata_evt *evt) __attribute__((nonnull(1))); #ifndef WIN32 + #define AUDIT_KEY "wazuh_fim" int audit_init(void); int check_auditd_enabled(void); @@ -87,8 +88,8 @@ int audit_delete_rule(const char *path, const char *key); void *audit_main(int *audit_sock); extern W_Vector *audit_added_rules; extern volatile int audit_thread_active; +extern pthread_mutex_t syscheck_mutex; void clean_rules(void); -void StopAuditThread(void); #endif #endif diff --git a/src/syscheckd/syscheck_audit.c b/src/syscheckd/syscheck_audit.c index 478f023cec0..c660e02f81c 100644 --- a/src/syscheckd/syscheck_audit.c +++ b/src/syscheckd/syscheck_audit.c @@ -37,6 +37,7 @@ static regex_t regexCompiled_cwd; static regex_t regexCompiled_pname; static regex_t regexCompiled_path0; static regex_t regexCompiled_path1; +pthread_mutex_t syscheck_mutex = PTHREAD_MUTEX_INITIALIZER; // Convert audit relative paths into absolute paths @@ -665,6 +666,7 @@ void * audit_main(int * audit_sock) { regfree(®exCompiled_pname); // Change Audit monitored folders to Inotify. int i; + w_mutex_lock(&syscheck_mutex); if (audit_added_rules) { for (i = 0; i < W_Vector_length(audit_added_rules); i++) { realtime_adddir(W_Vector_get(audit_added_rules, i), 0); @@ -672,19 +674,15 @@ void * audit_main(int * audit_sock) { } // Clean Audit added rules. clean_rules(); + w_mutex_unlock(&syscheck_mutex); return NULL; } -void StopAuditThread(void) { - audit_thread_active = 0; -} - - void clean_rules(void) { int i; - + w_mutex_lock(&syscheck_mutex); if (audit_added_rules) { mdebug2("Deleting Audit rules..."); for (i = 0; i < W_Vector_length(audit_added_rules); i++) { @@ -692,4 +690,5 @@ void clean_rules(void) { } W_Vector_free(audit_added_rules); } + w_mutex_unlock(&syscheck_mutex); }