New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let fim_check_ignore to act on FIM directories #13264
Conversation
1d8e400
to
17312d1
Compare
f162f0b
to
f382c42
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -952,7 +952,7 @@ static void test_fim_audit_json(void **state) { | |||
static void test_fim_check_ignore_strncasecmp(void **state) { | |||
int ret; | |||
|
|||
expect_string(__wrap__mdebug2, formatted_msg, "(6204): Ignoring 'file' '/EtC/dumPDateS' due to '/etc/dumpdates'"); | |||
expect_string(__wrap__mdebug2, formatted_msg, "(6204): Ignoring path '/EtC/dumPDateS' due to pattern '/etc/dumpdates'"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could use the constant FIM_IGNORE_ENTRY
or FIM_IGNORE_SREGEX
@@ -968,7 +968,7 @@ static void test_fim_check_ignore_strncasecmp(void **state) { | |||
if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR)) | |||
fail(); | |||
|
|||
snprintf(debug_msg, OS_MAXSTR, "(6204): Ignoring 'file' '%s' due to '%s'", expanded_path, syscheck.ignore[0]); | |||
snprintf(debug_msg, OS_MAXSTR, "(6204): Ignoring path '%s' due to pattern '%s'", expanded_path, syscheck.ignore[0]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could use the constant FIM_IGNORE_ENTRY
or FIM_IGNORE_SREGEX
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -983,9 +983,9 @@ static void test_fim_check_ignore_regex(void **state) { | |||
int ret; | |||
|
|||
#ifndef TEST_WINAGENT | |||
expect_string(__wrap__mdebug2, formatted_msg, "(6205): Ignoring 'file' '/test/files/test.swp' due to sregex '.log$|.swp$'"); | |||
expect_string(__wrap__mdebug2, formatted_msg, "(6205): Ignoring path '/test/files/test.swp' due to sregex '.log$|.swp$'"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could use the constant FIM_IGNORE_ENTRY
or FIM_IGNORE_SREGEX
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -1743,7 +1743,7 @@ static void test_fim_checker_fim_regular_ignore(void **state) { | |||
expect_string(__wrap_HasFilesystem, path, "/etc/mtab"); | |||
will_return(__wrap_HasFilesystem, 0); | |||
|
|||
expect_string(__wrap__mdebug2, formatted_msg, "(6204): Ignoring 'file' '/etc/mtab' due to '/etc/mtab'"); | |||
expect_string(__wrap__mdebug2, formatted_msg, "(6204): Ignoring path '/etc/mtab' due to pattern '/etc/mtab'"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could use the constant FIM_IGNORE_ENTRY
or FIM_IGNORE_SREGEX
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -2602,7 +2602,7 @@ static void test_fim_checker_fim_regular_ignore(void **state) { | |||
expect_string(__wrap_HasFilesystem, path, expanded_path); | |||
will_return(__wrap_HasFilesystem, 0); | |||
|
|||
snprintf(debug_msg, OS_MAXSTR, "(6204): Ignoring 'file' '%s' due to '%s'", expanded_path, expanded_path); | |||
snprintf(debug_msg, OS_MAXSTR, "(6204): Ignoring path '%s' due to pattern '%s'", expanded_path, expanded_path); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could use the constant FIM_IGNORE_ENTRY
or FIM_IGNORE_SREGEX
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
963c91a
to
e79f5d7
Compare
e79f5d7
to
e8bbd9c
Compare
QA review
|
e8bbd9c
to
83accfe
Compare
The base branch was changed.
Description
This PR is to introduce the necessary change in the fim_checker function, so that the ignores checking is done for both files and directories. This way we avoid going through a whole directory that was already being ignored from the beginning.
It is not possible to do the same with the restrict check, since by traversing the directories it is not possible to be sure that in a lower depth the restrict condition will not be satisfied.
Configuration options
Logs/Alerts example
Executing:
touch /test/ignore/noalerts/subdir1/subdir2/subdir3/file1
Then fim_checker does not need to traverse all subdirectories, since the ignored path was
/test/ignore/noalerts
:Tests