/* Special decoder for syscheck * Not using the default decoding lib for simplicity * and to be less resource intensive */ int DecodeSyscheck(Eventinfo *lf) { char *c_sum; char *f_name; /* Every syscheck message must be in the following format: * checksum filename */ f_name = strchr(lf->log, ' '); if (f_name == NULL) { /* If we don't have a valid syscheck message, it may be * a database completed message */ if (strcmp(lf->log, HC_SK_DB_COMPLETED) == 0) { DB_SetCompleted(lf); return (0); } merror(SK_INV_MSG, ARGV0); return (0); } /* Zero to get the check sum */ *f_name = '\0'; f_name++; /* Get diff */ lf->data = strchr(f_name, '\n'); if (lf->data) { *lf->data = '\0'; lf->data++; } else { lf->data = NULL; } /* Check if file is supposed to be ignored */ if (Config.syscheck_ignore) { char **ff_ig = Config.syscheck_ignore; while (*ff_ig) { if (strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0) { lf->data = NULL; return (0); } ff_ig++; } } /* Checksum is at the beginning of the log */ c_sum = lf->log; /* Search for file changes */ return (DB_Search(f_name, c_sum, lf)); }
/* Special decoder for syscheck * Not using the default decoding lib for simplicity * and to be less resource intensive */ int DecodeSyscheck(Eventinfo *lf) { const char *c_sum; char *f_name; #ifdef SQLITE_ENABLED char *p; char stmt[OS_MAXSTR + 1]; sqlite3_stmt *res; int error = 0; int rec_count = 0; const char *tail; #endif // SQLITE_ENABLED /* Every syscheck message must be in the following format: * checksum filename */ f_name = strchr(lf->log, ' '); if (f_name == NULL) { /* If we don't have a valid syscheck message, it may be * a database completed message */ if (strcmp(lf->log, HC_SK_DB_COMPLETED) == 0) { DB_SetCompleted(lf); return (0); } merror(SK_INV_MSG, ARGV0); return (0); } /* Zero to get the check sum */ *f_name = '\0'; f_name++; /* Get diff */ lf->data = strchr(f_name, '\n'); if (lf->data) { *lf->data = '\0'; lf->data++; } else { lf->data = NULL; } /* Check if file is supposed to be ignored */ if (Config.syscheck_ignore) { char **ff_ig = Config.syscheck_ignore; while (*ff_ig) { if (strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0) { lf->data = NULL; return (0); } ff_ig++; } } /* Checksum is at the beginning of the log */ c_sum = lf->log; /* Extract the MD5 hash and search for it in the allowlist * Sample message: * 0:0:0:0:78f5c869675b1d09ddad870adad073f9:bd6c8d7a58b462aac86475e59af0e22954039c50 */ #ifdef SQLITE_ENABLED if (Config.md5_allowlist) { extern sqlite3 *conn; if ((p = extract_token(c_sum, ":", 4))) { if (!validate_md5(p)) { /* Never trust input from other origin */ merror("%s: Not a valid MD5 hash: '%s'", ARGV0, p); return(0); } debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5_allowlist); sprintf(stmt, "select md5sum from files where md5sum = \"%s\"", p); error = sqlite3_prepare_v2(conn, stmt, 1000, &res, &tail); if (error == SQLITE_OK) { while (sqlite3_step(res) == SQLITE_ROW) { rec_count++; } if (rec_count) { sqlite3_finalize(res); //sqlite3_close(conn); merror(MD5_NOT_CHECKED, ARGV0, p); return(0); } } sqlite3_finalize(res); } } #endif /* Search for file changes */ return (DB_Search(f_name, c_sum, lf)); }