New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Solve bug when processing symbolic links in Whodata #3025
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
crolopez
force-pushed
the
3.9-whodata-link
branch
from
April 8, 2019 10:16
10d3dde
to
a7e7f5b
Compare
crolopez
force-pushed
the
3.9-whodata-link
branch
from
April 8, 2019 17:19
c1efe87
to
1f1c61e
Compare
crolopez
force-pushed
the
3.9-whodata-link
branch
from
April 9, 2019 16:12
fcac3dd
to
7c68bac
Compare
crolopez
force-pushed
the
3.9-whodata-link
branch
from
April 11, 2019 12:29
79b9d98
to
af272f0
Compare
albertomn86
approved these changes
Apr 16, 2019
73 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR solves the issue described here #2547.
Since 3.9, Whodata transforms symbolic link paths to real paths before adding them to the Syscheck flow.
The problem comes when configuring the monitoring of a symbolic link since the path comparison algorithms did not take into account that the file could be over a symbolic link.
Since this PR, those directories that are symbolic links will save their real paths too, in order to be able to show the symbolic paths in the alerts if the user configures directory monitoring by indicating the symbolic link.
Alert changes
A new field has been added to the alert that shows the path of the file using the symbolic link, if it comes from one. This path can be found in the JSON alert (
symbolic_path
) and in the extended format (Symbolic path
).JSON alert example
Extended alert example
Hot update of symbolic links
If the symbolic links indicated in directories change while Syscheck is running, the monitoring of the new directory will be activated, removing the unlinked files from the agent and manager databases silently. This will be done through a checker thread whose scan period can be modified from internal options configuration with
syscheck.symlink_scan_interval
.Check the symbolic links with the API
Files derived from symbolic links will include the
symbolic_path
tag when queried from the API:curl -u foo:bar -k -X GET "http://127.0.0.1:55000/syscheck/000?pretty"
In this example,
/home/user/dirlink
points to/home/user/directory/tests/new_dir
.Test
A script like the following can be used to test this feature. If this example is followed, the following configuration should be indicated in ossec.conf:
<directories whodata="yes" check_all="yes">/tmp/dirlink/folder</directories>