Add detection ofdeleted files in whodata mode for Windows

wazuh · Jun 19, 2018 · bf5d3fb · bf5d3fb
1 parent 1030e2b
commit bf5d3fb
Show file tree

Hide file tree

Showing 6 changed files with 162 additions and 107 deletions.
diff --git a/etc/rules/0015-ossec_rules.xml b/etc/rules/0015-ossec_rules.xml
@@ -199,7 +199,7 @@
   <rule id="553" level="7">
     <category>ossec</category>
     <decoded_as>syscheck_deleted</decoded_as>
-    <description>File deleted. Unable to retrieve checksum.</description>
+    <description>File deleted.</description>
     <group>syscheck,pci_dss_11.5,gpg13_4.11,</group>
   </rule>
 
@@ -284,7 +284,7 @@
     <if_sid>553</if_sid>
     <hostname>syscheck-registry</hostname>
     <group>syscheck,pci_dss_11.5,gpg13_4.13,</group>
-    <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
+    <description>Registry Entry Deleted.</description>
   </rule>
 
   <rule id="598" level="5">

diff --git a/src/analysisd/alerts/log.c b/src/analysisd/alerts/log.c
@@ -235,12 +235,6 @@ void OS_LogOutput(Eventinfo *lf)
         if (lf->sha256_after)
             printf("New SHA256: %s\n", lf->sha256_after);
 
-        // Whodata values
-        if (lf->user)
-            printf("Username: %s\n", lf->user);
-        if (lf->process)
-            printf("Process: %s\n", lf->process);
-
         if (lf->mtime_before)
             printf("Old date: %s", ctime(&lf->mtime_before));
         if (lf->mtime_after)
@@ -413,12 +407,6 @@ void OS_Log(Eventinfo *lf)
         if (lf->sha256_after)
             fprintf(_aflog, "New SHA256: %s\n", lf->sha256_after);
 
-        if (lf->user)
-            fprintf(_aflog, "Username: %s\n", lf->user);
-
-        if (lf->process)
-            fprintf(_aflog, "Process: %s\n", lf->process);
-
         if (lf->mtime_before)
             fprintf(_aflog, "Old date: %s", ctime(&lf->mtime_before));
         if (lf->mtime_after)

diff --git a/src/analysisd/decoders/syscheck.c b/src/analysisd/decoders/syscheck.c
@@ -211,6 +211,7 @@ static int DB_Search(const char *f_name, char *c_sum, char *w_sum, Eventinfo *lf
     int p = 0;
     size_t sn_size;
     int agent_id;
+    int result;
 
     char *saved_sum;
     char *saved_name;
@@ -347,7 +348,21 @@ static int DB_Search(const char *f_name, char *c_sum, char *w_sum, Eventinfo *lf
                 f_name);
         fflush(fp);
 
-        switch (sk_decode_sum(&newsum, c_sum, w_sum)) {
+        if (result = sk_decode_sum(&newsum, c_sum, w_sum), result != -1) {
+            /* Whodata user */
+            if(newsum.wdata.user) {
+                snprintf(sdb.user, OS_FLSIZE, "Username: '%s'\n", newsum.wdata.user);
+                os_strdup(newsum.wdata.user, lf->user);
+            }
+
+            /* Whodata process */
+            if(newsum.wdata.process) {
+                snprintf(sdb.process, OS_FLSIZE, "Process: '%s'\n", newsum.wdata.process);
+                os_strdup(newsum.wdata.process, lf->process);
+            }
+        }
+
+        switch (result) {
         case -1:
             merror("Couldn't decode syscheck sum from log.");
             lf->data = NULL;
@@ -460,20 +475,6 @@ static int DB_Search(const char *f_name, char *c_sum, char *w_sum, Eventinfo *lf
                     }
                 }
 
-                /* Whodata user */
-                if(newsum.wdata.user)
-                {
-                    snprintf(sdb.user, OS_FLSIZE, "Username: '%s'\n", newsum.wdata.user);
-                    os_strdup(newsum.wdata.user, lf->user);
-                }
-
-                /* Whodata process */
-                if(newsum.wdata.process)
-                {
-                    snprintf(sdb.process, OS_FLSIZE, "Process: '%s'\n", newsum.wdata.process);
-                    os_strdup(newsum.wdata.process, lf->process);
-                }
-
                 /* Modification time message */
                 if (oldsum.mtime && newsum.mtime && oldsum.mtime != newsum.mtime) {
                     char *old_ctime = strdup(ctime(&oldsum.mtime));
@@ -536,8 +537,14 @@ static int DB_Search(const char *f_name, char *c_sum, char *w_sum, Eventinfo *lf
                 lf->event_type = FIM_READDED;
                 sk_fill_event(lf, f_name, &newsum);
                 snprintf(sdb.comment, OS_MAXSTR,
-                     "File '%.756s' was re-added.", f_name);
-
+                     "File '%.756s' was re-added."
+                     "%s"
+                     "%s"
+                     "%s",
+                     f_name,
+                     (sdb.user || sdb.process) ? "\n" : "",
+                     sdb.user,
+                     sdb.process);
                 break;
             }
 
@@ -548,9 +555,17 @@ static int DB_Search(const char *f_name, char *c_sum, char *w_sum, Eventinfo *lf
             sdb.syscheck_dec->id = sdb.idd;
             os_strdup(f_name, lf->filename);
             lf->event_type = FIM_DELETED;
+
             snprintf(sdb.comment, OS_MAXSTR,
-                 "File '%.756s' was deleted. Unable to retrieve "
-                 "checksum.", f_name);
+                 "File '%.756s' was deleted."
+                 "%s"
+                 "%s"
+                 "%s",
+                 f_name,
+                 (sdb.user || sdb.process) ? "\n" : "",
+                 sdb.user,
+                 sdb.process);
+            break;
         }
 
         /* Create a new log message */
@@ -566,10 +581,6 @@ static int DB_Search(const char *f_name, char *c_sum, char *w_sum, Eventinfo *lf
 
     } /* Continue */
 
-    /* If we reach here, this file is not present in our database */
-    fseek(fp, 0, SEEK_END);
-    fprintf(fp, "+++%s !%ld %s\n", c_sum, (long int)lf->time, f_name);
-    fflush(fp);
 
     /* Insert row in SQLite DB*/
 
@@ -579,6 +590,11 @@ static int DB_Search(const char *f_name, char *c_sum, char *w_sum, Eventinfo *lf
             break;
 
         case 0:
+            /* If we reach here, this file is not present in our database */
+            fseek(fp, 0, SEEK_END);
+            fprintf(fp, "+++%s !%ld %s\n", c_sum, (long int)lf->time, f_name);
+            fflush(fp);
+
             lf->event_type = FIM_ADDED;
 
             /* Alert if configured to notify on new files */

diff --git a/src/config/syscheck-config.h b/src/config/syscheck-config.h
@@ -55,8 +55,9 @@ typedef struct whodata_evt {
 #else
     unsigned __int64 process_id;
     unsigned __int64 handle_id;
-    char *type;
     unsigned int mask;
+    int dir_position;
+    char deleted;
 #endif
 } whodata_evt;
 

diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c
@@ -444,20 +444,23 @@ int create_db()
             mdebug2("Directory loaded from syscheck db: %s", syscheck.dir[i]);
         }
 
+#ifdef WIN32
         if (syscheck.opts[i] & CHECK_WHODATA) {
             realtime_adddir(syscheck.dir[i], i + 1);
             if (!enable_who_scan) {
                 enable_who_scan = 1;
             }
         } else if (syscheck.opts[i] & CHECK_REALTIME) {
-#ifdef WIN32
             realtime_adddir(syscheck.dir[i], 0);
+        }
 #else
 #ifndef INOTIFY_ENABLED
+        if (syscheck.opts[i] & CHECK_REALTIME) {
             mwarn("realtime monitoring request on unsupported system for '%s'", syscheck.dir[i]);
+        }
 #endif
 #endif
-        }
+
         i++;
     } while (syscheck.dir[i] != NULL);