Fix who-data for deleted files in Syscheck

- Send who-data in the event about removed file. - Parse who-data in FIM events starting with "-1".
wazuh · Jun 25, 2018 · b38fb79 · b38fb79
1 parent 6f32911
commit b38fb79
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 46 deletions.
diff --git a/src/shared/syscheck_op.c b/src/shared/syscheck_op.c
@@ -21,66 +21,70 @@ int sk_decode_sum(sk_sum_t *sum, char *c_sum, char *w_sum) {
     char *c_perm;
     char *c_mtime;
     char *c_inode;
+    int retval = 0;
 
     memset(sum, 0, sizeof(sk_sum_t));
 
-    if (c_sum[0] == '-' && c_sum[1] == '1')
-        return 1;
-
-    sum->size = c_sum;
+    if (c_sum[0] == '-' && c_sum[1] == '1') {
+        retval = 1;
+    } else {
+        sum->size = c_sum;
 
-    if (!(c_perm = strchr(c_sum, ':')))
-        return -1;
+        if (!(c_perm = strchr(c_sum, ':')))
+            return -1;
 
-    *(c_perm++) = '\0';
+        *(c_perm++) = '\0';
 
-    if (!(sum->uid = strchr(c_perm, ':')))
-        return -1;
+        if (!(sum->uid = strchr(c_perm, ':')))
+            return -1;
 
-    *(sum->uid++) = '\0';
-    sum->perm = atoi(c_perm);
+        *(sum->uid++) = '\0';
+        sum->perm = atoi(c_perm);
 
-    if (!(sum->gid = strchr(sum->uid, ':')))
-        return -1;
+        if (!(sum->gid = strchr(sum->uid, ':')))
+            return -1;
 
-    *(sum->gid++) = '\0';
+        *(sum->gid++) = '\0';
 
-    if (!(sum->md5 = strchr(sum->gid, ':')))
-        return -1;
+        if (!(sum->md5 = strchr(sum->gid, ':')))
+            return -1;
 
-    *(sum->md5++) = '\0';
+        *(sum->md5++) = '\0';
 
-    if (!(sum->sha1 = strchr(sum->md5, ':')))
-        return -1;
+        if (!(sum->sha1 = strchr(sum->md5, ':')))
+            return -1;
 
-    *(sum->sha1++) = '\0';
+        *(sum->sha1++) = '\0';
 
-    // New fields: user name, group name, modification time and inode
+        // New fields: user name, group name, modification time and inode
 
-    if (!(sum->uname = strchr(sum->sha1, ':')))
-        return 0;
+        if ((sum->uname = strchr(sum->sha1, ':'))) {
+            *(sum->uname++) = '\0';
 
-    *(sum->uname++) = '\0';
+            if (!(sum->gname = strchr(sum->uname, ':')))
+                return -1;
 
-    if (!(sum->gname = strchr(sum->uname, ':')))
-        return -1;
+            *(sum->gname++) = '\0';
 
-    *(sum->gname++) = '\0';
+            if (!(c_mtime = strchr(sum->gname, ':')))
+                return -1;
 
-    if (!(c_mtime = strchr(sum->gname, ':')))
-        return -1;
+            *(c_mtime++) = '\0';
 
-    *(c_mtime++) = '\0';
+            if (!(c_inode = strchr(c_mtime, ':')))
+                return -1;
 
-    if (!(c_inode = strchr(c_mtime, ':')))
-        return -1;
+            *(c_inode++) = '\0';
 
-    *(c_inode++) = '\0';
+            sum->sha256 = NULL;
 
-    sum->sha256 = NULL;
+            if ((sum->sha256 = strchr(c_inode, ':')))
+                *(sum->sha256++) = '\0';
 
-    if ((sum->sha256 = strchr(c_inode, ':')))
-        *(sum->sha256++) = '\0';
+            sum->mtime = atol(c_mtime);
+            sum->inode = atol(c_inode);
+        }
+    }
 
     // Get whodata
     if (w_sum) {
@@ -121,9 +125,7 @@ int sk_decode_sum(sk_sum_t *sum, char *c_sum, char *w_sum) {
         sum->wdata.process_id = unescape_whodata_sum(sum->wdata.process_id);
     }
 
-    sum->mtime = atol(c_mtime);
-    sum->inode = atol(c_inode);
-    return 0;
+    return retval;
 }
 
 char *unescape_whodata_sum(char *sum) {

diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c
@@ -242,7 +242,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction, whod
             alert_msg[OS_MAXSTR] = '\0';
 
             /* If it returns < 0, we have already alerted */
-            if (c_read_file(file_name, buf, c_sum) < 0) {
+            if (c_read_file(file_name, buf, c_sum, NULL) < 0) {
                 return (0);
             }
             if (strcmp(c_sum, buf + SK_DB_NATTR)) {

diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c
@@ -338,7 +338,7 @@ void start_daemon()
 }
 
 /* Read file information and return a pointer to the checksum */
-int c_read_file(const char *file_name, const char *oldsum, char *newsum)
+int c_read_file(const char *file_name, const char *oldsum, char *newsum, whodata_evt * evt)
 {
     int size = 0, perm = 0, owner = 0, group = 0, md5sum = 0, sha1sum = 0, sha256sum = 0, mtime = 0, inode = 0;
     struct stat statbuf;
@@ -358,10 +358,18 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum)
     if (lstat(file_name, &statbuf) < 0)
 #endif
     {
-        char alert_msg[PATH_MAX+4];
+        char alert_msg[OS_SIZE_6144 + 1];
+        char wd_sum[OS_SIZE_6144 + 1];
 
-        alert_msg[PATH_MAX + 3] = '\0';
-        snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name);
+        alert_msg[sizeof(alert_msg) - 1] = '\0';
+
+        // Extract the whodata sum here to not include it in the hash table
+        if (extract_whodata_sum(evt, wd_sum, OS_SIZE_6144)) {
+            merror("The whodata sum for '%s' file could not be included in the alert as it is too large.", file_name);
+            *wd_sum = '\0';
+        }
+
+        snprintf(alert_msg, sizeof(alert_msg), "-1!%s %s", wd_sum, file_name);
         send_syscheck_msg(alert_msg);
 
         return (-1);

diff --git a/src/syscheckd/run_realtime.c b/src/syscheckd/run_realtime.c
@@ -71,7 +71,18 @@ int realtime_checksumfile(const char *file_name, whodata_evt *evt)
         c_sum[255] = '\0';
 
         /* If it returns < 0, we have already alerted */
-        if (c_read_file(file_name, buf, c_sum) < 0) {
+        if (c_read_file(file_name, buf, c_sum, evt) < 0) {
+            char alert_msg[OS_MAXSTR + 1];
+            char wd_sum[OS_SIZE_6144 + 1];
+
+            // Extract the whodata sum here to not include it in the hash table
+            if (extract_whodata_sum(evt, wd_sum, OS_SIZE_6144)) {
+                merror("The whodata sum for '%s' file could not be included in the alert as it is too large.", file_name);
+                *wd_sum = '\0';
+            }
+
+            snprintf(alert_msg, sizeof(alert_msg), "-1!%s %s", wd_sum, file_name);
+
             // Update database
             snprintf(c_sum, sizeof(c_sum), "%.*s -1", SK_DB_NATTR, buf);
             free(buf);
@@ -80,6 +91,7 @@ int realtime_checksumfile(const char *file_name, whodata_evt *evt)
                 merror("Unable to update file to db: %s", file_name);
             }
 
+            send_syscheck_msg(alert_msg);
             return (0);
         }
 

diff --git a/src/syscheckd/syscheck.h b/src/syscheckd/syscheck.h
@@ -66,7 +66,7 @@ void init_whodata_event(whodata_evt *w_evt);
 void free_whodata_event(whodata_evt *w_evt);
 
 /* Get checksum changes */
-int c_read_file(const char *file_name, const char *oldsum, char *newsum) __attribute__((nonnull));
+int c_read_file(const char *file_name, const char *oldsum, char *newsum, whodata_evt * evt) __attribute__((nonnull(1,2,3)));
 
 int send_syscheck_msg(const char *msg) __attribute__((nonnull));
 int send_rootcheck_msg(const char *msg) __attribute__((nonnull));