Let fim_check_ignore to act on FIM directories #13264
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jotacarma90
force-pushed
the
10555-fix-ignore-restrict-directories
branch
from
1d8e400
to
17312d1
Compare
jotacarma90
force-pushed
the
10555-fix-ignore-restrict-directories
branch
from
f162f0b
to
f382c42
Compare
jotacarma90
requested review from
chemamartinez,
antoniomanuelfr,
FrancoRivero and
MarcelKemp
antoniomanuelfr
suggested changes
May 6, 2022
| @@ -952,7 +952,7 @@ static void test_fim_audit_json(void **state) { | |||
| static void test_fim_check_ignore_strncasecmp(void **state) { | |||
| int ret; | |||
|
|
|||
| expect_string(__wrap__mdebug2, formatted_msg, "(6204): Ignoring 'file' '/EtC/dumPDateS' due to '/etc/dumpdates'"); | |||
| expect_string(__wrap__mdebug2, formatted_msg, "(6204): Ignoring path '/EtC/dumPDateS' due to pattern '/etc/dumpdates'"); | |||
There was a problem hiding this comment.
We could use the constant FIM_IGNORE_ENTRY or FIM_IGNORE_SREGEX
| @@ -968,7 +968,7 @@ static void test_fim_check_ignore_strncasecmp(void **state) { | |||
| if(!ExpandEnvironmentStrings(path, expanded_path, OS_MAXSTR)) | |||
| fail(); | |||
|
|
|||
| snprintf(debug_msg, OS_MAXSTR, "(6204): Ignoring 'file' '%s' due to '%s'", expanded_path, syscheck.ignore[0]); | |||
| snprintf(debug_msg, OS_MAXSTR, "(6204): Ignoring path '%s' due to pattern '%s'", expanded_path, syscheck.ignore[0]); | |||
There was a problem hiding this comment.
We could use the constant FIM_IGNORE_ENTRY or FIM_IGNORE_SREGEX
| @@ -983,9 +983,9 @@ static void test_fim_check_ignore_regex(void **state) { | |||
| int ret; | |||
|
|
|||
| #ifndef TEST_WINAGENT | |||
| expect_string(__wrap__mdebug2, formatted_msg, "(6205): Ignoring 'file' '/test/files/test.swp' due to sregex '.log$|.swp$'"); | |||
| expect_string(__wrap__mdebug2, formatted_msg, "(6205): Ignoring path '/test/files/test.swp' due to sregex '.log$|.swp$'"); | |||
There was a problem hiding this comment.
We could use the constant FIM_IGNORE_ENTRY or FIM_IGNORE_SREGEX
| @@ -1743,7 +1743,7 @@ static void test_fim_checker_fim_regular_ignore(void **state) { | |||
| expect_string(__wrap_HasFilesystem, path, "/etc/mtab"); | |||
| will_return(__wrap_HasFilesystem, 0); | |||
|
|
|||
| expect_string(__wrap__mdebug2, formatted_msg, "(6204): Ignoring 'file' '/etc/mtab' due to '/etc/mtab'"); | |||
| expect_string(__wrap__mdebug2, formatted_msg, "(6204): Ignoring path '/etc/mtab' due to pattern '/etc/mtab'"); | |||
There was a problem hiding this comment.
We could use the constant FIM_IGNORE_ENTRY or FIM_IGNORE_SREGEX
| @@ -2602,7 +2602,7 @@ static void test_fim_checker_fim_regular_ignore(void **state) { | |||
| expect_string(__wrap_HasFilesystem, path, expanded_path); | |||
| will_return(__wrap_HasFilesystem, 0); | |||
|
|
|||
| snprintf(debug_msg, OS_MAXSTR, "(6204): Ignoring 'file' '%s' due to '%s'", expanded_path, expanded_path); | |||
| snprintf(debug_msg, OS_MAXSTR, "(6204): Ignoring path '%s' due to pattern '%s'", expanded_path, expanded_path); | |||
There was a problem hiding this comment.
We could use the constant FIM_IGNORE_ENTRY or FIM_IGNORE_SREGEX
antoniomanuelfr
previously approved these changes
May 6, 2022
chemamartinez
previously approved these changes
May 6, 2022
chemamartinez
force-pushed
the
10555-fix-ignore-restrict-directories
branch
from
963c91a
to
e79f5d7
Compare
14 tasks
jotacarma90
force-pushed
the
10555-fix-ignore-restrict-directories
branch
from
e79f5d7
to
e8bbd9c
Compare
QA review
|
chemamartinez
force-pushed
the
10555-fix-ignore-restrict-directories
branch
from
e8bbd9c
to
83accfe
Compare
chemamartinez
dismissed stale reviews from antoniomanuelfr, FrancoRivero, and themself
The base branch was changed.
chemamartinez
approved these changes
Jun 22, 2022
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR is to introduce the necessary change in the fim_checker function, so that the ignores checking is done for both files and directories. This way we avoid going through a whole directory that was already being ignored from the beginning.
It is not possible to do the same with the restrict check, since by traversing the directories it is not possible to be sure that in a lower depth the restrict condition will not be satisfied.
Configuration options
Logs/Alerts example
Executing:
touch /test/ignore/noalerts/subdir1/subdir2/subdir3/file1Then fim_checker does not need to traverse all subdirectories, since the ignored path was
/test/ignore/noalerts:Tests