From 91b64c9e2f5d09597d14f12545c5a42b6ad2b158 Mon Sep 17 00:00:00 2001 From: Cristobal Lopez Date: Thu, 21 Jun 2018 17:36:38 +0200 Subject: [PATCH] Add access control to the syscheck hash table --- src/syscheckd/create_db.c | 9 +++++++++ src/syscheckd/run_realtime.c | 7 +++++++ src/syscheckd/syscheck.c | 2 +- src/syscheckd/syscheck.h | 3 +++ src/syscheckd/win_whodata.c | 5 +++++ 5 files changed, 25 insertions(+), 1 deletion(-) diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c index 2262caa7995..a396b986e18 100644 --- a/src/syscheckd/create_db.c +++ b/src/syscheckd/create_db.c @@ -72,6 +72,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction, whod // Update database + w_mutex_lock(mutex_ht); if (buf = (char *) OSHash_Get(syscheck.fp, file_name), buf) { snprintf(alert_msg, sizeof(alert_msg), "%.*s -1", SK_DB_NATTR, buf); free(buf); @@ -79,6 +80,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction, whod merror("Unable to update file to db: %s", file_name); } } + w_mutex_unlock(mutex_ht); return (0); }else{ @@ -169,7 +171,10 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction, whod } } + w_mutex_lock(mutex_ht); buf = (char *) OSHash_Get(syscheck.fp, file_name); + w_mutex_unlock(mutex_ht); + if (!buf) { char alert_msg[OS_MAXSTR + 1]; /* to accommodate a long */ alert_msg[OS_MAXSTR] = '\0'; @@ -201,9 +206,11 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction, whod opts & CHECK_INODE ? (long)statbuf.st_ino : 0, opts & CHECK_SHA256SUM ? sf256_sum : "xxx"); + w_mutex_lock(mutex_ht); if (OSHash_Add(syscheck.fp, file_name, strdup(alert_msg)) <= 0) { merror("Unable to add file to db: %s", file_name); } + w_mutex_unlock(mutex_ht); /* Send the new checksum to the analysis server */ alert_msg[OS_MAXSTR] = '\0'; @@ -254,9 +261,11 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction, whod // Update database snprintf(alert_msg, sizeof(alert_msg), "%.*s%.*s", SK_DB_NATTR, buf, (int)strcspn(c_sum, " "), c_sum); free(buf); + w_mutex_lock(mutex_ht); if (!OSHash_Update(syscheck.fp, file_name, strdup(alert_msg))) { merror("Unable to update file to db: %s", file_name); } + w_mutex_unlock(mutex_ht); /* Send the new checksum to the analysis server */ alert_msg[OS_MAXSTR] = '\0'; diff --git a/src/syscheckd/run_realtime.c b/src/syscheckd/run_realtime.c index b3e1b7c324e..f7d34cb8274 100644 --- a/src/syscheckd/run_realtime.c +++ b/src/syscheckd/run_realtime.c @@ -41,7 +41,10 @@ int realtime_checksumfile(const char *file_name, whodata_evt *evt) { char *buf; + w_mutex_lock(mutex_ht); buf = (char *) OSHash_Get(syscheck.fp, file_name); + w_mutex_unlock(mutex_ht); + if (buf != NULL) { char c_sum[256 + 2]; size_t c_sum_size; @@ -55,9 +58,11 @@ int realtime_checksumfile(const char *file_name, whodata_evt *evt) snprintf(c_sum, sizeof(c_sum), "%.*s -1", SK_DB_NATTR, buf); free(buf); + w_mutex_lock(mutex_ht); if (!OSHash_Update(syscheck.fp, file_name, strdup(c_sum))) { merror("Unable to update file to db: %s", file_name); } + w_mutex_unlock(mutex_ht); return (0); } @@ -75,9 +80,11 @@ int realtime_checksumfile(const char *file_name, whodata_evt *evt) // Update database snprintf(alert_msg, sizeof(alert_msg), "%.*s%.*s", SK_DB_NATTR, buf, (int)strcspn(c_sum, " "), c_sum); + w_mutex_lock(mutex_ht); if (!OSHash_Update(syscheck.fp, file_name, strdup(alert_msg))) { merror("Unable to update file to db: %s", file_name); } + w_mutex_unlock(mutex_ht); alert_msg[OS_MAXSTR] = '\0'; char *fullalert = NULL; diff --git a/src/syscheckd/syscheck.c b/src/syscheckd/syscheck.c index 78226619b75..37617e089d7 100644 --- a/src/syscheckd/syscheck.c +++ b/src/syscheckd/syscheck.c @@ -16,7 +16,7 @@ #include "rootcheck/rootcheck.h" syscheck_config syscheck; - +pthread_mutex_t mutex_ht = PTHREAD_MUTEX_INITIALIZER; #ifdef USE_MAGIC #include diff --git a/src/syscheckd/syscheck.h b/src/syscheckd/syscheck.h index 3ccb03cc6f8..9c9e1f59eaf 100644 --- a/src/syscheckd/syscheck.h +++ b/src/syscheckd/syscheck.h @@ -22,6 +22,9 @@ /* Global config */ extern syscheck_config syscheck; +/* Hash table mutex */ +extern pthread_mutex_t mutex_ht; + /** Function Prototypes **/ /* Check the integrity of the files against the saved database */ diff --git a/src/syscheckd/win_whodata.c b/src/syscheckd/win_whodata.c index 94c7a99ae17..0468d29de6a 100644 --- a/src/syscheckd/win_whodata.c +++ b/src/syscheckd/win_whodata.c @@ -365,12 +365,15 @@ unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void * // Open fd case 4656: // Check if it is a known file + w_mutex_lock(mutex_ht); if (!OSHash_Get(syscheck.fp, path)) { + w_mutex_unlock(mutex_ht); if (position = find_dir_pos(path, 1), position < 0) { // Discard the file if its monitoring has not been activated break; } } else { + w_mutex_unlock(mutex_ht); position = -1; } os_calloc(1, sizeof(whodata_evt), w_evt); @@ -428,7 +431,9 @@ unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void * char wd_sum[OS_SIZE_6144 + 1]; // Remove the file from the syscheck hash table + w_mutex_lock(mutex_ht); OSHash_Delete(syscheck.fp, w_evt->path); + w_mutex_unlock(mutex_ht); if (extract_whodata_sum(w_evt, wd_sum, OS_SIZE_6144)) { merror("The whodata sum for '%s' file could not be included in the alert as it is too large.", w_evt->path);