/* aide, Advanced Intrusion Detection Environment
*
* Copyright (C) 1999-2007,2010-2013,2015,2016 Rami Lehti, Pablo Virolainen,
* Richard van den Berg, Mike Markley, Hannes von Haugwitz
* $Id$
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "aide.h"
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <sys/stat.h>
#include <math.h>
#ifdef WITH_AUDIT
#include <libaudit.h>
#ifdef HAVE_SYSLOG
#include <syslog.h>
#endif
#endif
#include "base64.h"
#include "report.h"
#include "db_config.h"
#include "gen_list.h"
#include "list.h"
#include "db.h"
#include "util.h"
#include "commandconf.h"
#include "gen_list.h"
#include "compare_db.h"
/*for locale support*/
#include "locale-aide.h"
/*for locale support*/
#include "md.h"
/*************/
/* construction area for report lines */
const int width_details = 80;
const char time_format[] = "%Y-%m-%d %H:%M:%S %z";
const int time_string_len = 26;
long ntotal, nadd, nrem, nchg = 0;
const char* report_top_format = "\n\n---------------------------------------------------\n%s:\n---------------------------------------------------\n";
DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs, forced_attrs;
const DB_ATTR_TYPE summary_attributes[] = { DB_FTYPE, DB_LINKNAME, DB_SIZE|DB_SIZEG, DB_BCOUNT, DB_PERM, DB_UID, DB_GID, DB_ATIME, DB_MTIME, DB_CTIME, DB_INODE, DB_LNKCOUNT, DB_HASHES
#ifdef WITH_ACL
, DB_ACL
#endif
#ifdef WITH_XATTR
, DB_XATTRS
#endif
#ifdef WITH_SELINUX
, DB_SELINUX
#endif
#ifdef WITH_E2FSATTRS
, DB_E2FSATTRS
#endif
};
const char summary_char[] = { '!' ,'l', '>', 'b', 'p', 'u', 'g', 'a', 'm', 'c', 'i', 'n', 'C'
#ifdef WITH_ACL
, 'A'
#endif
#ifdef WITH_XATTR
, 'X'
#endif
#ifdef WITH_SELINUX
, 'S'
#endif
#ifdef WITH_E2FSATTRS
, 'E'
#endif
};
const DB_ATTR_TYPE details_attributes[] = { DB_FTYPE, DB_LINKNAME, DB_SIZE, DB_SIZEG, DB_BCOUNT, DB_PERM, DB_UID, DB_GID, DB_ATIME, DB_MTIME, DB_CTIME, DB_INODE, DB_LNKCOUNT, DB_MD5, DB_SHA1, DB_RMD160, DB_TIGER, DB_SHA256, DB_SHA512
#ifdef WITH_MHASH
, DB_CRC32, DB_HAVAL, DB_GOST, DB_CRC32B, DB_WHIRLPOOL
#endif
#ifdef WITH_ACL
, DB_ACL
#endif
#ifdef WITH_XATTR
, DB_XATTRS
#endif
#ifdef WITH_SELINUX
, DB_SELINUX
#endif
#ifdef WITH_E2FSATTRS
, DB_E2FSATTRS
#endif
};
const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512")
#ifdef WITH_MHASH
, _("CRC32"), _("HAVAL"), _("GOST"), _("CRC32B"), _("WHIRLPOOL")
#endif
#ifdef WITH_ACL
, _("ACL")
#endif
#ifdef WITH_XATTR
, _("XAttrs")
#endif
#ifdef WITH_SELINUX
, _("SELinux")
#endif
#ifdef WITH_E2FSATTRS
, _("E2FSAttrs")
#endif
};
const char* attrs_string[] = { "filename", "l", "p", "u", "g", "s", "a", "c", "m", "i", "b", "n",
"md5", "sha1", "rmd160", "tiger", "crc32", "haval", "gost", "crc32b",
"attr", "acl", "bsize", "rdev", "dev", "checkmask", "S", "I", "ANF",
"ARF", "sha256", "sha512", "selinux", "xattrs", "whirlpool", "ftype",
"e2fsattrs" };
#ifdef WITH_E2FSATTRS
/* flag->character mappings taken from lib/e2p/pf.c (git commit c46b57b)
* date: 2015-05-10
* sources: git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git
*
* on update see also do_e2fsattrs in commandconf.c
*/
unsigned long flag_bits[] = { EXT2_SECRM_FL, EXT2_UNRM_FL, EXT2_SYNC_FL, EXT2_DIRSYNC_FL, EXT2_IMMUTABLE_FL,
EXT2_APPEND_FL, EXT2_NODUMP_FL, EXT2_NOATIME_FL, EXT2_COMPR_FL, EXT2_COMPRBLK_FL,
EXT2_DIRTY_FL, EXT2_NOCOMPR_FL,
#ifdef EXT2_ECOMPR_FL
EXT2_ECOMPR_FL,
#else
EXT4_ENCRYPT_FL,
#endif
EXT3_JOURNAL_DATA_FL, EXT2_INDEX_FL,
EXT2_NOTAIL_FL, EXT2_TOPDIR_FL
#ifdef EXT4_EXTENTS_FL
, EXT4_EXTENTS_FL
#endif
#ifdef EXT4_HUGE_FILE_FL
, EXT4_HUGE_FILE_FL
#endif
#ifdef FS_NOCOW_FL
, FS_NOCOW_FL
#endif
#ifdef EXT4_INLINE_DATA_FL
, EXT4_INLINE_DATA_FL
#endif
};
char flag_char[] = { 's', 'u', 'S', 'D', 'i', 'a', 'd', 'A', 'c', 'B', 'Z', 'X', 'E', 'j', 'I', 't', 'T'
#ifdef EXT4_EXTENTS_FL
, 'e'
#endif
#ifdef EXT4_HUGE_FILE_FL
, 'h'
#endif
#ifdef FS_NOCOW_FL
, 'C'
#endif
#ifdef EXT4_INLINE_DATA_FL
, 'N'
#endif
};
/*************/
#endif
static DB_ATTR_TYPE get_special_report_group(char* group) {
DB_ATTR_TYPE attr = get_groupval(group);
return attr==DB_ATTR_UNDEF?0:attr;
}
static char* report_attrs(DB_ATTR_TYPE attrs) {
char* str;
int j = 1;
int num_attrs = sizeof(attrs_string)/sizeof(char*);
for (int i = 0; i < num_attrs; ++i) {
if ((1LLU<<i)&attrs) {
j += strlen(attrs_string[i])+1;
}
}
str = malloc(j * sizeof (char));
j=0;
for (int i = 0; i < num_attrs; ++i) {
if ((1LLU<<i)&attrs) {
if (j) { str[j++] = '+'; }
j += sprintf(&str[j], "%s", attrs_string[i]);
}
}
str[j] = '\0';
return str;
}
static char get_file_type_char(mode_t mode) {
switch (mode & S_IFMT) {
case S_IFREG: return 'f';
case S_IFDIR: return 'd';
#ifdef S_IFIFO
case S_IFIFO: return 'p';
#endif
case S_IFLNK: return 'l';
case S_IFBLK: return 'b';
case S_IFCHR: return 'c';
#ifdef S_IFSOCK
case S_IFSOCK: return 's';
#endif
#ifdef S_IFDOOR
case S_IFDOOR: return 'D';
#endif
#ifdef S_IFPORT
case S_IFPORT: return 'P';
#endif
default: return '?';
}
}
#ifdef WITH_XATTR
static size_t xstrnspn(const char *s1, size_t len, const char *srch)
{
const char *os1 = s1;
while (len-- && strchr(srch, *s1))
++s1;
return (s1 - os1);
}
#define PRINTABLE_XATTR_VALS \
"0123456789" \
"abcdefghijklmnopqrstuvwxyz" \
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
".-_:;,[]{}<>()!@#$%^&*|\\/?~"
static int xattrs2array(xattrs_type* xattrs, char* **values) {
int n = 0;
if (xattrs==NULL) { n=1; }
else { n=1+xattrs->num; }
*values = malloc(n * sizeof(char*));
(*values)[0]=malloc((6+floor(log10(n)))*sizeof(char));
snprintf((*values)[0], 6+floor(log10(n)), "num=%d", n-1);
if (n>1) {
size_t num = 0;
int width, length;
width = log10(xattrs->num); /* make them the same width */
while (num++ < xattrs->num) {
char *val = NULL;
size_t len = 0;
val = (char *)xattrs->ents[num - 1].val;
len = xstrnspn(val, xattrs->ents[num - 1].vsz, PRINTABLE_XATTR_VALS);
if ((len == xattrs->ents[num - 1].vsz) || ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) {
length = 8 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
(*values)[num]=malloc(length *sizeof(char));
char * fmt = "[%.*zd] %s = %s";
if (conf->syslog_format) fmt = "[%.*zd]%s=%s"; // its smaller so it has to be enough space allocated.
snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
} else {
val = encode_base64(xattrs->ents[num - 1].val, xattrs->ents[num - 1].vsz);
length = 10 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
(*values)[num]=malloc( length *sizeof(char));
char * fmt = "[%.*zd] %s <=> %s";
if (conf->syslog_format) fmt = "[%.*zd]%s<=>%s"; // its smaller so it has to be enough space allocated.
snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
free(val);
}
}
}
return n;
}
#endif
#ifdef WITH_ACL
static int acl2array(acl_type* acl, char* **values) {
int n = 0;
#ifdef WITH_POSIX_ACL
#define easy_posix_acl(x,y) \
if (acl->x) { \
i = k = 0; \
while (acl->x[i]) { \
if (acl->x[i]=='\n') { \
(*values)[j]=malloc(4+(i-k)*sizeof(char)); \
snprintf((*values)[j], 4+(i-k), "%c: %s", y, &acl->x[k]); \
j++; \
k=i+1; \
} \
i++; \
} \
}
if (acl->acl_a || acl->acl_d) {
int j, k, i;
if (conf->syslog_format) {
*values = malloc(2 * sizeof(char*));
char *A= "<NONE>", *D = "<NONE>";
if (acl->acl_a) { A = acl->acl_a; }
if (acl->acl_d) { D = acl->acl_d; }
(*values)[0] = (char*) malloc(strlen(A) + 3); // "A:" and \0
snprintf((*values)[0], strlen(A) + 3, "A:%s", A);
(*values)[1] = (char*) malloc(strlen(D) + 3); // "D:" and \0
snprintf((*values)[1], strlen(D) + 3, "D:%s", D);
i = 0; while ( (*values)[0][i] ) { if ( (*values)[0][i]=='\n') { (*values)[0][i] = ' '; } i++; }
i = 0; while ( (*values)[1][i] ) { if ( (*values)[1][i]=='\n') { (*values)[1][i] = ' '; } i++; }
return 2;
}
if (acl->acl_a) { i = 0; while (acl->acl_a[i]) { if (acl->acl_a[i++]=='\n') { n++; } } }
if (acl->acl_d) { i = 0; while (acl->acl_d[i]) { if (acl->acl_d[i++]=='\n') { n++; } } }
*values = malloc(n * sizeof(char*));
j = 0;
easy_posix_acl(acl_a, 'A')
easy_posix_acl(acl_d, 'D')
}
#endif
#ifdef WITH_SUN_ACL
/* FIXME: readd sun acl support */
#endif
return n;
}
#endif
#ifdef WITH_E2FSATTRS
static char* e2fsattrs2string(unsigned long flags, int flags_only) {
int length = sizeof(flag_bits)/sizeof(long);
char* string = malloc ((length+1) * sizeof (char));
int j = 0;
for (int i = 0 ; i < length ; i++) {
if (!flags_only && flag_bits[i]&(conf->report_ignore_e2fsattrs)) {
string[j++]=':';
} else if (flag_bits[i] & flags) {
string[j++]=flag_char[i];
} else if (!flags_only) {
string[j++]='-';
}
}
string[j] = '\0';
return string;
}
#endif
static char* get_file_type_string(mode_t mode) {
switch (mode & S_IFMT) {
case S_IFREG: return conf->syslog_format ? "file" : _("File");
case S_IFDIR: return conf->syslog_format ? "dir" : _("Directory");
#ifdef S_IFIFO
case S_IFIFO: return conf->syslog_format ? "fifo" : _("FIFO");
#endif
case S_IFLNK: return conf->syslog_format ? "link" : _("Link");
case S_IFBLK: return conf->syslog_format ? "blockd" : _("Block device");
case S_IFCHR: return conf->syslog_format ? "chard" : _("Character device");
#ifdef S_IFSOCK
case S_IFSOCK: return conf->syslog_format ? "socket" : _("Socket");
#endif
#ifdef S_IFDOOR
case S_IFDOOR: return conf->syslog_format ? "door" : _("Door");
#endif
#ifdef S_IFPORT
case S_IFPORT: return conf->syslog_format ? "port" : _("Port");
#endif
case 0: return NULL;
default: return conf->syslog_format ? "unknown" : _("Unknown file type");
}
}
static char* byte_to_base16(byte* src, size_t ssize) {
char* str = malloc((2*ssize+1) * sizeof (char));
size_t i;
for(i=0; i < ssize; ++i) {
snprintf(&str[2*i], 3, "%02x", src[i]);
}
return str;
}
static int get_attribute_values(DB_ATTR_TYPE attr, db_line* line,
char* **values) {
#define easy_string(s) \
l = strlen(s)+1; \
*values[0] = malloc(l * sizeof (char)); \
snprintf(*values[0], l, "%s",s);
#define easy_md(a,b,c) \
} else if (a&attr) { \
if (conf->report_base16) { \
*values[0] = byte_to_base16(line->b, c); \
} else { \
*values[0] = encode_base64(line->b, c); \
}
#define easy_number(a,b,c) \
} else if (a&attr) { \
l = 2+floor(line->b?log10(line->b):0); \
*values[0] = malloc(l * sizeof (char)); \
snprintf(*values[0], l, c,line->b);
#define easy_time(a,b) \
} else if (a&attr) { \
*values[0] = malloc(time_string_len * sizeof (char)); \
strftime(*values[0], time_string_len, time_format, localtime(&(line->b)));
int l;
if (line==NULL || !(line->attr&attr)) {
*values = NULL;
return 0;
#ifdef WITH_ACL
} else if (DB_ACL&attr) {
return acl2array(line->acl, &*values);
#endif
#ifdef WITH_XATTR
} else if (DB_XATTRS&attr) {
return xattrs2array(line->xattrs, &*values);
#endif
} else {
*values = malloc(1 * sizeof (char*));
if (DB_FTYPE&attr) {
char *file_type = get_file_type_string(line->perm);
if (!file_type) {
error(2,"%s: ", file_type);
}
easy_string(file_type)
} else if (DB_LINKNAME&attr) {
easy_string(line->linkname)
easy_number((DB_SIZE|DB_SIZEG),size,"%li")
} else if (DB_PERM&attr) {
*values[0] = perm_to_char(line->perm);
easy_time(DB_ATIME,atime)
easy_time(DB_MTIME,mtime)
easy_time(DB_CTIME,ctime)
easy_number(DB_BCOUNT,bcount,"%li")
easy_number(DB_UID,uid,"%i")
easy_number(DB_GID,gid,"%i")
easy_number(DB_INODE,inode,"%lu")
easy_number(DB_LNKCOUNT,nlink,"%lu")
easy_md(DB_MD5,md5,HASH_MD5_LEN)
easy_md(DB_SHA1,sha1,HASH_SHA1_LEN)
easy_md(DB_RMD160,rmd160,HASH_RMD160_LEN)
easy_md(DB_TIGER,tiger,HASH_TIGER_LEN)
easy_md(DB_SHA256,sha256,HASH_SHA256_LEN)
easy_md(DB_SHA512,sha512,HASH_SHA512_LEN)
#ifdef WITH_MHASH
easy_md(DB_CRC32,crc32,HASH_CRC32_LEN)
easy_md(DB_HAVAL,haval,HASH_HAVAL256_LEN)
easy_md(DB_GOST,gost,HASH_GOST_LEN)
easy_md(DB_CRC32B,crc32b,HASH_CRC32B_LEN)
easy_md(DB_WHIRLPOOL,whirlpool,HASH_WHIRLPOOL_LEN)
#endif
#ifdef WITH_SELINUX
} else if (DB_SELINUX&attr) {
easy_string(line->cntx)
#endif
#ifdef WITH_E2FSATTRS
} else if (DB_E2FSATTRS&attr) {
*values[0]=e2fsattrs2string(line->e2fsattrs, 0);
#endif
} else {
easy_string("unknown attribute")
}
return 1;
}
}
static void print_line(seltree* node) {
if(conf->summarize_changes==1) {
int i;
int length = sizeof(summary_attributes)/sizeof(DB_ATTR_TYPE);
char* summary = malloc ((length+1) * sizeof (char));
if (node->checked&(NODE_ADDED|NODE_REMOVED)) {
summary[0]=get_file_type_char((node->checked&NODE_REMOVED?node->old_data:node->new_data)->perm);
for(i=1;i<length;i++){
summary[i]=node->checked&NODE_ADDED?'+':'-';
}
} else if (node->checked&NODE_CHANGED) {
char c, u, a, r, g, s;
for(i=0;i<length;i++) {
c = summary_char[i];
r = '-'; a = '+'; g = ':'; u = '.'; s = ' ';
switch (i) {
case 0:
summary[i]=get_file_type_char((node->new_data)->perm);
continue;
case 2:
if (summary_attributes[i]&(node->changed_attrs&(~ignored_changed_attrs)) && (node->old_data)->size > (node->new_data)->size) {
c = '<';
}
u = '=';
break;
}
if (summary_attributes[i]&node->changed_attrs&(forced_attrs|(~ignored_changed_attrs))) {
summary[i]=c;
} else if (summary_attributes[i]&((node->old_data)->attr&~((node->new_data)->attr)&(forced_attrs|~(ignored_removed_attrs)))) {
summary[i]=r;
} else if (summary_attributes[i]&~((node->old_data)->attr)&(node->new_data)->attr&(forced_attrs|~(ignored_added_attrs))) {
summary[i]=a;
} else if (summary_attributes[i]& (
(((node->old_data)->attr&~((node->new_data)->attr)&ignored_removed_attrs))|
(~((node->old_data)->attr)&(node->new_data)->attr&ignored_added_attrs)|
(((node->old_data)->attr&(node->new_data)->attr)&ignored_changed_attrs)
) ) {
summary[i]=g;
} else if (summary_attributes[i]&((node->old_data)->attr&(node->new_data)->attr)) {
summary[i]=u;
} else {
summary[i]=s;
}
}
}
summary[length]='\0';
error(2,"\n%s: %s", summary, (node->checked&NODE_REMOVED?node->old_data:node->new_data)->filename);
free(summary); summary=NULL;
} else {
if (node->checked&NODE_ADDED) {
error(2,"added: %s\n",(node->new_data)->filename);
} else if (node->checked&NODE_REMOVED) {
error(2,"removed: %s\n",(node->old_data)->filename);
} else if (node->checked&NODE_CHANGED) {
error(2,"changed: %s\n",(node->new_data)->filename);
}
}
}
static void print_dbline_attributes(db_line* oline, db_line* nline, DB_ATTR_TYPE
changed_attrs, DB_ATTR_TYPE force_attrs) {
char **ovalue, **nvalue;
int onumber, nnumber, olen, nlen, i, j, k, c;
int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE);
int p = (width_details-(width_details%2?13:14))/2;
DB_ATTR_TYPE attrs;
error(2,"\n");
char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm);
if (file_type) {
error(2,"%s: ", file_type);
}
error(2,"%s\n", (nline==NULL?oline:nline)->filename);
attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs);
for (j=0; j < length; ++j) {
if (details_attributes[j]&attrs) {
onumber=get_attribute_values(details_attributes[j], oline, &ovalue);
nnumber=get_attribute_values(details_attributes[j], nline, &nvalue);
i = 0;
while (i<onumber || i<nnumber) {
olen = i<onumber?strlen(ovalue[i]):0;
nlen = i<nnumber?strlen(nvalue[i]):0;
k = 0;
while (olen-p*k >= 0 || nlen-p*k >= 0) {
c = k*(p-1);
if (!onumber) {
error(2," %s%-9s%c %-*c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, ' ', p-1, nlen-c>0?&nvalue[i][c]:"");
} else if (!nnumber) {
error(2," %s%-9s%c %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p-1, olen-c>0?&ovalue[i][c]:"");
} else {
error(2," %s%-9s%c %-*.*s| %.*s\n", width_details%2?"":" ", i+k?"":details_string[j], i+k?' ':':', p, p-1, olen-c>0?&ovalue[i][c]:"", p-1, nlen-c>0?&nvalue[i][c]:"");
}
k++;
}
++i;
}
for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL;
for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL;
}
}
}
static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE
changed_attrs, DB_ATTR_TYPE force_attrs) {
char **ovalue, **nvalue;
int onumber, nnumber, i, j;
int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE);
DB_ATTR_TYPE attrs;
char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm);
if (file_type) {
error(0,"%s=", file_type);
}
error(0,"%s", (nline==NULL?oline:nline)->filename);
attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs);
for (j=0; j < length; ++j) {
if (details_attributes[j]&attrs) {
onumber=get_attribute_values(details_attributes[j], oline, &ovalue);
nnumber=get_attribute_values(details_attributes[j], nline, &nvalue);
if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) {
error(0, ";%s_old=|", details_string[j]);
for (i = 0 ; i < onumber ; i++) {
error(0, "%s|", ovalue[i]);
}
error(0, ";%s_new=|", details_string[j]);
for (i = 0 ; i < nnumber ; i++) {
error(0, "%s|", nvalue[i]);
}
} else {
error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue);
}
for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL;
for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL;
}
}
error(0, "\n");
}
static void print_attributes_added_node(db_line* line) {
print_dbline_attributes(NULL, line, 0, line->attr);
}
static void print_attributes_removed_node(db_line* line) {
print_dbline_attributes(line, NULL, 0, line->attr);
}
static void print_attributes_added_node_syslog(db_line* line) {
char *file_type = get_file_type_string(line->perm);
if (file_type) {
error(0,"%s=", file_type);
}
error(0,"%s; added\n", line->filename);
}
static void print_attributes_removed_node_syslog(db_line* line) {
char *file_type = get_file_type_string(line->perm);
if (file_type) {
error(0,"%s=", file_type);
}
error(0,"%s; removed\n", line->filename);
}
static void terse_report(seltree* node) {
list* r=NULL;
if ((node->checked&(DB_OLD|DB_NEW)) != 0) {
ntotal += ((node->checked&DB_NEW) != 0);
if (!(node->checked&DB_OLD)){
/* File is in new db but not old. (ADDED) */
/* unless it was moved in */
if (!((node->checked&NODE_ALLOW_NEW)||(node->checked&NODE_MOVED_IN))) {
nadd++;
node->checked|=NODE_ADDED;
}
} else if (!(node->checked&DB_NEW)){
/* File is in old db but not new. (REMOVED) */
/* unless it was moved out */
if (!((node->checked&NODE_ALLOW_RM)||(node->checked&NODE_MOVED_OUT))) {
nrem++;
node->checked|=NODE_REMOVED;
}
} else if ((node->old_data!=NULL)&&(node->new_data!=NULL)){
/* File is in both db's and the data is still there. (CHANGED) */
if (!(node->checked&(NODE_MOVED_IN|NODE_MOVED_OUT))){
nchg++;
node->checked|=NODE_CHANGED;
}else if (!((node->checked&NODE_ALLOW_NEW)||(node->checked&NODE_MOVED_IN))) {
nadd++;
node->checked|=NODE_ADDED;
}else if (!((node->checked&NODE_ALLOW_RM)||(node->checked&NODE_MOVED_OUT))) {
nrem++;
node->checked|=NODE_REMOVED;
}
}
}
for (r=node->childs;r;r=r->next) {
terse_report((seltree*)r->data);
}
}
static void print_report_list(seltree* node, const int node_status) {
list* r=NULL;
if (node->checked&node_status) {
print_line(node);
}
for(r=node->childs;r;r=r->next){
print_report_list((seltree*)r->data, node_status);
}
}
static void print_report_details(seltree* node) {
list* r=NULL;
if (conf->verbose_level>=5) {
if (node->checked&NODE_CHANGED) {
print_dbline_attributes(node->old_data, node->new_data, node->changed_attrs, (conf->verbose_level>=6?(
((node->old_data)->attr&~((node->new_data)->attr)&~(ignored_removed_attrs))|(~((node->old_data)->attr)&(node->new_data)->attr&~(ignored_added_attrs))
):0)|forced_attrs);
} else if ((conf->verbose_level>=7)) {
if (node->checked&NODE_ADDED) { print_attributes_added_node(node->new_data); }
if (node->checked&NODE_REMOVED) { print_attributes_removed_node(node->old_data); }
}
}
for(r=node->childs;r;r=r->next){
print_report_details((seltree*)r->data);
}
}
static void print_syslog_format(seltree* node) {
list* r=NULL;
if (node->checked&NODE_CHANGED) {
print_dbline_attributes_syslog(node->old_data, node->new_data, node->changed_attrs, forced_attrs);
}
if (node->checked&NODE_ADDED) {
print_attributes_added_node_syslog(node->new_data);
}
if (node->checked&NODE_REMOVED) {
print_attributes_removed_node_syslog(node->old_data);
}
for(r=node->childs;r;r=r->next){
print_syslog_format((seltree*)r->data);
}
}
static void print_report_header() {
char *time;
int first = 1;
time = malloc(time_string_len * sizeof (char));
strftime(time, time_string_len, time_format, localtime(&(conf->start_time)));
error(2,_("Start timestamp: %s (AIDE " AIDEVERSION ")\n"), time);
free(time); time=NULL;
error(0,_("AIDE"));
if(conf->action&(DO_COMPARE|DO_DIFF)) {
error(0,_(" found %sdifferences between %s%s!!\n"), (nadd||nrem||nchg)?"":"NO ", conf->action&DO_COMPARE?_("database and filesystem"):_("the two databases"), (nadd||nrem||nchg)?"":_(". Looks okay"));
if(conf->action&(DO_INIT)) {
error(0,_("New AIDE database written to %s\n"),conf->db_out_url->value);
}
} else {
error(0,_(" initialized database at %s\n"),conf->db_out_url->value);
}
if(conf->config_version)
error(2,_("Config version used: %s\n"),conf->config_version);
if (conf->limit != NULL) {
error (2,_("Limit: %s"), conf->limit);
first = 0;
}
if (conf->action&(DO_INIT|DO_COMPARE) && conf->root_prefix_length > 0) {
if (first) { first=0; }
else { error (2," | "); }
error (2,_("Root prefix: %s"),conf->root_prefix);
}
if (conf->verbose_level != 5) {
if (first) { first=0; }
else { error (2," | "); }
error (2,_("Verbose level: %d"), conf->verbose_level);
}
if (!first) { error (2,"\n"); }
if (ignored_added_attrs) {
error (2,_("Ignored added attributes: %s\n"),report_attrs(ignored_added_attrs));
}
if (ignored_removed_attrs) {
error (2,_("Ignored removed attributes: %s\n"),report_attrs(ignored_removed_attrs));
}
if (ignored_changed_attrs) {
error (2,_("Ignored changed attributes: %s\n"),report_attrs(ignored_changed_attrs));
}
if (forced_attrs) {
error (2,_("Forced attributes: %s\n"),report_attrs(forced_attrs));
}
#ifdef WITH_E2FSATTRS
if (conf->report_ignore_e2fsattrs) {
error (2,_("Ignored e2fs attributes: %s\n"), e2fsattrs2string(conf->report_ignore_e2fsattrs, 1) );
}
#endif
if(conf->action&(DO_COMPARE|DO_DIFF) && (nadd||nrem||nchg)) {
error(0,_("\nSummary:\n Total number of entries:\t%li\n Added entries:\t\t%li\n"
" Removed entries:\t\t%li\n Changed entries:\t\t%li"), ntotal, nadd, nrem, nchg);
} else {
error(0,_("\nNumber of entries:\t%li"), ntotal);
}
}
static void print_report_databases() {
if (conf->verbose_level>=2 && (conf->line_db_in || conf->line_db_out)) {
error(2,(char*)report_top_format,_("The attributes of the (uncompressed) database(s)"));
if (conf->line_db_in) {
print_attributes_removed_node(conf->line_db_in);
}
if (conf->line_db_out) {
print_attributes_removed_node(conf->line_db_out);
}
}
}
static void print_report_footer()
{
char *time = malloc(time_string_len * sizeof (char));
int run_time = (int) difftime(conf->end_time, conf->start_time);
strftime(time, time_string_len, time_format, localtime(&(conf->end_time)));
error(2,_("\n\nEnd timestamp: %s (run time: %dm %ds)\n"), time, run_time/60, run_time%60);
free(time); time=NULL;
}
#ifdef WITH_AUDIT
/* Something changed, send audit anomaly message */
void send_audit_report()
{
if(nadd!=0||nrem!=0||nchg!=0){
int fd=audit_open();
if (fd>=0){
char msg[64];
snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld",
nadd, nrem, nchg);
if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
;
#endif
close(fd);
}
}
}
#endif /* WITH_AUDIT */
int gen_report(seltree* node) {
forced_attrs = get_special_report_group("report_force_attrs");
ignored_added_attrs = get_special_report_group("report_ignore_added_attrs");
ignored_removed_attrs = get_special_report_group("report_ignore_removed_attrs");
ignored_changed_attrs = get_special_report_group("report_ignore_changed_attrs");
terse_report(node);
#ifdef WITH_AUDIT
send_audit_report();
#endif
if ((nadd|nrem|nchg) > 0 || conf->report_quiet == 0) {
if (!conf->syslog_format) {
print_report_header();
}
if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) {
if (!conf->syslog_format && conf->grouped) {
if (nadd) {
error(2,(char*)report_top_format,_("Added entries"));
print_report_list(node, NODE_ADDED);
}
if (nrem) {
error(2,(char*)report_top_format,_("Removed entries"));
print_report_list(node, NODE_REMOVED);
}
if (nchg) {
error(2,(char*)report_top_format,_("Changed entries"));
print_report_list(node, NODE_CHANGED);
}
} else if (!conf->syslog_format && ( nadd || nrem || nchg ) ) {
if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); }
else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); }
else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); }
else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); }
else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); }
else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); }
else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); }
print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED);
}
if (nadd || nrem || nchg) {
if (!conf->syslog_format) {
error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes"));
print_report_details(node);
} else {
/* Syslog Format */
error(0, "AIDE found differences between database and filesystem!!\n");
error(0, "summary;total_number_of_files=%ld;added_files=%ld;"
"removed_files=%ld;changed_files=%ld\n",ntotal,nadd,nrem,nchg);
print_syslog_format(node);
}
}
}
if (!conf->syslog_format) {
print_report_databases();
conf->end_time=time(&(conf->end_time));
print_report_footer();
}
}
return conf->action&(DO_COMPARE|DO_DIFF) ? (nadd!=0)*1+(nrem!=0)*2+(nchg!=0)*4 : 0;
}
const char* aide_key_9=CONFHMACKEY_09;
const char* db_key_9=DBHMACKEY_09;
// vi: ts=8 sw=8