char *OS_AddNewAgent(const char *name, const char *ip, const char *id) { FILE *fp; os_md5 md1; os_md5 md2; char str1[STR_SIZE + 1]; char str2[STR_SIZE + 1]; char *muname; char *finals; char nid[9]; srandom_init(); muname = getuname(); snprintf(str1, STR_SIZE, "%d%s%d%s", (int)time(0), name, (int)random(), muname); snprintf(str2, STR_SIZE, "%s%s%ld", ip, id, (long int)random()); OS_MD5_Str(str1, md1); OS_MD5_Str(str2, md2); free(muname); nid[8] = '\0'; if (id == NULL) { int i = 1024; snprintf(nid, 6, "%d", i); while (IDExist(nid)) { i++; snprintf(nid, 6, "%d", i); if (i >= (MAX_AGENTS + 1024)) { return (NULL); } } id = nid; } fp = fopen(KEYSFILE_PATH, "a"); if (!fp) { return (NULL); } os_calloc(2048, sizeof(char), finals); if (ip == NULL) { snprintf(finals, 2048, "%s %s any %s%s", id, name, md1, md2); } else { snprintf(finals, 2048, "%s %s %s %s%s", id, name, ip, md1, md2); } fprintf(fp, "%s\n", finals); fclose(fp); return (finals); }
int main(int argc, char **argv) { int i = 0, c = 0; uid_t uid; gid_t gid; int debug_level = 0; int test_config = 0, run_foreground = 0; const char *cfg = DEFAULTCPATH; const char *dir = DEFAULTDIR; const char *user = REMUSER; const char *group = GROUPGLOBAL; /* Set the name */ OS_SetName(ARGV0); while ((c = getopt(argc, argv, "Vdthfu:g:c:D:")) != -1) { switch (c) { case 'V': print_version(); break; case 'h': help_remoted(); break; case 'd': nowDebug(); debug_level = 1; break; case 'f': run_foreground = 1; break; case 'u': if (!optarg) { ErrorExit("%s: -u needs an argument", ARGV0); } user = optarg; break; case 'g': if (!optarg) { ErrorExit("%s: -g needs an argument", ARGV0); } group = optarg; break; case 't': test_config = 1; break; case 'c': if (!optarg) { ErrorExit("%s: -c need an argument", ARGV0); } cfg = optarg; break; case 'D': if (!optarg) { ErrorExit("%s: -D needs an argument", ARGV0); } dir = optarg; break; default: help_remoted(); break; } } /* Check current debug_level * Command line setting takes precedence */ if (debug_level == 0) { /* Get debug level */ debug_level = getDefine_Int("remoted", "debug", 0, 2); while (debug_level != 0) { nowDebug(); debug_level--; } } debug1(STARTED_MSG, ARGV0); /* Return 0 if not configured */ if (RemotedConfig(cfg, &logr) < 0) { ErrorExit(CONFIG_ERROR, ARGV0, cfg); } /* Exit if test_config is set */ if (test_config) { exit(0); } if (logr.conn == NULL) { /* Not configured */ exit(0); } /* Don't exit when client.keys empty (if set) */ if (getDefine_Int("remoted", "pass_empty_keyfile", 0, 1)) { OS_PassEmptyKeyfile(); } /* Check if the user and group given are valid */ uid = Privsep_GetUser(user); gid = Privsep_GetGroup(group); if (uid == (uid_t) - 1 || gid == (gid_t) - 1) { ErrorExit(USER_ERROR, ARGV0, user, group); } /* Setup random */ srandom_init(); /* pid before going daemon */ i = getpid(); if (!run_foreground) { nowDaemon(); goDaemon(); } /* Set new group */ if (Privsep_SetGroup(gid) < 0) { ErrorExit(SETGID_ERROR, ARGV0, group, errno, strerror(errno)); } /* chroot */ if (Privsep_Chroot(dir) < 0) { ErrorExit(CHROOT_ERROR, ARGV0, dir, errno, strerror(errno)); } nowChroot(); /* Start the signal manipulation */ StartSIG(ARGV0); /* Ignore SIGPIPE, it will be detected on recv */ signal(SIGPIPE, SIG_IGN); random(); /* Start up message */ verbose(STARTUP_MSG, ARGV0, (int)getpid()); /* Really start the program */ i = 0; while (logr.conn[i] != 0) { /* Fork for each connection handler */ if (fork() == 0) { /* On the child */ debug1("%s: DEBUG: Forking remoted: '%d'.", ARGV0, i); logr.position = i; HandleRemote(uid); } else { i++; continue; } } return (0); }
int main(int argc, char **argv) { FILE *fp; char *authpass = NULL; /* Bucket to keep pids in */ int process_pool[POOL_SIZE]; /* Count of pids we are wait()ing on */ int c = 0, test_config = 0, use_ip_address = 0, pid = 0, status, i = 0, active_processes = 0; int use_pass = 1; int force_antiquity = -1; char *id_exist; gid_t gid; int client_sock = 0, sock = 0, port = DEFAULT_PORT, ret = 0; const char *dir = DEFAULTDIR; const char *group = GROUPGLOBAL; const char *server_cert = NULL; const char *server_key = NULL; const char *ca_cert = NULL; char buf[4096 + 1]; SSL_CTX *ctx; SSL *ssl; char srcip[IPSIZE + 1]; struct sockaddr_in _nc; socklen_t _ncl; /* Initialize some variables */ memset(srcip, '\0', IPSIZE + 1); memset(process_pool, 0x0, POOL_SIZE * sizeof(*process_pool)); bio_err = 0; /* Set the name */ OS_SetName(ARGV0); while ((c = getopt(argc, argv, "Vdhtig:D:m:p:v:x:k:nf:")) != -1) { char *end; switch (c) { case 'V': print_version(); break; case 'h': help_authd(); break; case 'd': nowDebug(); break; case 'i': use_ip_address = 1; break; case 'g': if (!optarg) { ErrorExit("%s: -g needs an argument", ARGV0); } group = optarg; break; case 'D': if (!optarg) { ErrorExit("%s: -D needs an argument", ARGV0); } dir = optarg; break; case 't': test_config = 1; break; case 'n': use_pass = 0; break; case 'p': if (!optarg) { ErrorExit("%s: -%c needs an argument", ARGV0, c); } port = atoi(optarg); if (port <= 0 || port >= 65536) { ErrorExit("%s: Invalid port: %s", ARGV0, optarg); } break; case 'v': if (!optarg) { ErrorExit("%s: -%c needs an argument", ARGV0, c); } ca_cert = optarg; break; case 'x': if (!optarg) { ErrorExit("%s: -%c needs an argument", ARGV0, c); } server_cert = optarg; break; case 'k': if (!optarg) { ErrorExit("%s: -%c needs an argument", ARGV0, c); } server_key = optarg; break; case 'f': if (!optarg) ErrorExit("%s: -%c needs an argument", ARGV0, c); force_antiquity = strtol(optarg, &end, 10); if (optarg == end || force_antiquity < 0) ErrorExit("%s: Invalid number for -f", ARGV0); break; default: help_authd(); break; } } /* Start daemon -- NB: need to double fork and setsid */ debug1(STARTED_MSG, ARGV0); /* Check if the user/group given are valid */ gid = Privsep_GetGroup(group); if (gid == (gid_t) - 1) { ErrorExit(USER_ERROR, ARGV0, "", group); } /* Exit here if test config is set */ if (test_config) { exit(0); } /* Privilege separation */ if (Privsep_SetGroup(gid) < 0) { ErrorExit(SETGID_ERROR, ARGV0, group, errno, strerror(errno)); } /* chroot -- TODO: this isn't a chroot. Should also close * unneeded open file descriptors (like stdin/stdout) */ if (chdir(dir) == -1) { ErrorExit(CHDIR_ERROR, ARGV0, dir, errno, strerror(errno)); } /* Signal manipulation */ StartSIG(ARGV0); /* Create PID files */ if (CreatePID(ARGV0, getpid()) < 0) { ErrorExit(PID_ERROR, ARGV0); } /* Start up message */ verbose(STARTUP_MSG, ARGV0, (int)getpid()); if (use_pass) { /* Checking if there is a custom password file */ fp = fopen(AUTHDPASS_PATH, "r"); buf[0] = '\0'; if (fp) { buf[4096] = '\0'; char *ret = fgets(buf, 4095, fp); if (ret && strlen(buf) > 2) { /* Remove newline */ buf[strlen(buf) - 1] = '\0'; authpass = strdup(buf); } fclose(fp); } if (buf[0] != '\0') verbose("Accepting connections. Using password specified on file: %s",AUTHDPASS_PATH); else { /* Getting temporary pass. */ authpass = __generatetmppass(); verbose("Accepting connections. Random password chosen for agent authentication: %s", authpass); } } else verbose("Accepting insecure connections. No password required (not recommended)"); /* Getting SSL cert. */ fp = fopen(KEYSFILE_PATH, "a"); if (!fp) { merror("%s: ERROR: Unable to open %s (key file)", ARGV0, KEYSFILE_PATH); exit(1); } fclose(fp); /* Start SSL */ ctx = os_ssl_keys(1, dir, server_cert, server_key, ca_cert); if (!ctx) { merror("%s: ERROR: SSL error. Exiting.", ARGV0); exit(1); } /* Connect via TCP */ sock = OS_Bindporttcp(port, NULL, 0); if (sock <= 0) { merror("%s: Unable to bind to port %d", ARGV0, port); exit(1); } fcntl(sock, F_SETFL, O_NONBLOCK); debug1("%s: DEBUG: Going into listening mode.", ARGV0); /* Setup random */ srandom_init(); /* Chroot */ if (Privsep_Chroot(dir) < 0) ErrorExit(CHROOT_ERROR, ARGV0, dir, errno, strerror(errno)); nowChroot(); while (1) { /* No need to completely pin the cpu, 100ms should be fast enough */ usleep(100 * 1000); /* Only check process-pool if we have active processes */ if (active_processes > 0) { for (i = 0; i < POOL_SIZE; i++) { int rv = 0; status = 0; if (process_pool[i]) { rv = waitpid(process_pool[i], &status, WNOHANG); if (rv != 0) { debug1("%s: DEBUG: Process %d exited", ARGV0, process_pool[i]); process_pool[i] = 0; active_processes = active_processes - 1; } } } } memset(&_nc, 0, sizeof(_nc)); _ncl = sizeof(_nc); if ((client_sock = accept(sock, (struct sockaddr *) &_nc, &_ncl)) > 0) { if (active_processes >= POOL_SIZE) { merror("%s: Error: Max concurrency reached. Unable to fork", ARGV0); break; } pid = fork(); if (pid) { active_processes = active_processes + 1; close(client_sock); for (i = 0; i < POOL_SIZE; i++) { if (! process_pool[i]) { process_pool[i] = pid; break; } } } else { strncpy(srcip, inet_ntoa(_nc.sin_addr), IPSIZE - 1); char *agentname = NULL; ssl = SSL_new(ctx); SSL_set_fd(ssl, client_sock); do { ret = SSL_accept(ssl); if (ssl_error(ssl, ret)) { clean_exit(ctx, client_sock); } } while (ret <= 0); verbose("%s: INFO: New connection from %s", ARGV0, srcip); buf[0] = '\0'; do { ret = SSL_read(ssl, buf, sizeof(buf)); if (ssl_error(ssl, ret)) { clean_exit(ctx, client_sock); } } while (ret <= 0); int parseok = 0; char *tmpstr = buf; /* Checking for shared password authentication. */ if(authpass) { /* Format is pretty simple: OSSEC PASS: PASS WHATEVERACTION */ if (strncmp(tmpstr, "OSSEC PASS: "******"%s: ERROR: Invalid password provided by %s. Closing connection.", ARGV0, srcip); SSL_CTX_free(ctx); close(client_sock); exit(0); } } /* Checking for action A (add agent) */ parseok = 0; if (strncmp(tmpstr, "OSSEC A:'", 9) == 0) { agentname = tmpstr + 9; tmpstr += 9; while (*tmpstr != '\0') { if (*tmpstr == '\'') { *tmpstr = '\0'; verbose("%s: INFO: Received request for a new agent (%s) from: %s", ARGV0, agentname, srcip); parseok = 1; break; } tmpstr++; } } if (parseok == 0) { merror("%s: ERROR: Invalid request for new agent from: %s", ARGV0, srcip); } else { int acount = 2; char fname[2048 + 1]; char response[2048 + 1]; char *finalkey = NULL; response[2048] = '\0'; fname[2048] = '\0'; if (!OS_IsValidName(agentname)) { merror("%s: ERROR: Invalid agent name: %s from %s", ARGV0, agentname, srcip); snprintf(response, 2048, "ERROR: Invalid agent name: %s\n\n", agentname); SSL_write(ssl, response, strlen(response)); snprintf(response, 2048, "ERROR: Unable to add agent.\n\n"); SSL_write(ssl, response, strlen(response)); sleep(1); exit(0); } /* Check for duplicated names */ strncpy(fname, agentname, 2048); while (NameExist(fname)) { snprintf(fname, 2048, "%s%d", agentname, acount); acount++; if (acount > 256) { merror("%s: ERROR: Invalid agent name %s (duplicated)", ARGV0, agentname); snprintf(response, 2048, "ERROR: Invalid agent name: %s\n\n", agentname); SSL_write(ssl, response, strlen(response)); snprintf(response, 2048, "ERROR: Unable to add agent.\n\n"); SSL_write(ssl, response, strlen(response)); sleep(1); exit(0); } } agentname = fname; /* Check for duplicated IP */ if (use_ip_address) { id_exist = IPExist(srcip); if (id_exist) { if (force_antiquity >= 0) { double antiquity = OS_AgentAntiquity(id_exist); if (antiquity >= force_antiquity || antiquity < 0) { /* TODO: Backup info-agent, syscheck and rootcheck */ OS_RemoveAgent(id_exist); } else { /* TODO: Send alert */ merror("%s: ERROR: Duplicated IP %s (another active)", ARGV0, srcip); snprintf(response, 2048, "ERROR: Duplicated IP: %s\n\n", srcip); SSL_write(ssl, response, strlen(response)); snprintf(response, 2048, "ERROR: Unable to add agent.\n\n"); SSL_write(ssl, response, strlen(response)); sleep(1); exit(0); } } else { merror("%s: ERROR: Duplicated IP %s", ARGV0, srcip); snprintf(response, 2048, "ERROR: Duplicated IP: %s\n\n", srcip); SSL_write(ssl, response, strlen(response)); snprintf(response, 2048, "ERROR: Unable to add agent.\n\n"); SSL_write(ssl, response, strlen(response)); sleep(1); exit(0); } } } /* Add the new agent */ if (use_ip_address) finalkey = OS_AddNewAgent(agentname, srcip, NULL); else finalkey = OS_AddNewAgent(agentname, NULL, NULL); if (!finalkey) { merror("%s: ERROR: Unable to add agent: %s (internal error)", ARGV0, agentname); snprintf(response, 2048, "ERROR: Internal manager error adding agent: %s\n\n", agentname); SSL_write(ssl, response, strlen(response)); snprintf(response, 2048, "ERROR: Unable to add agent.\n\n"); SSL_write(ssl, response, strlen(response)); sleep(1); exit(0); } snprintf(response, 2048, "OSSEC K:'%s'\n\n", finalkey); verbose("%s: INFO: Agent key generated for %s (requested by %s)", ARGV0, agentname, srcip); ret = SSL_write(ssl, response, strlen(response)); if (ret < 0) { merror("%s: ERROR: SSL write error (%d)", ARGV0, ret); merror("%s: ERROR: Agen key not saved for %s", ARGV0, agentname); ERR_print_errors_fp(stderr); } else { verbose("%s: INFO: Agent key created for %s (requested by %s)", ARGV0, agentname, srcip); } } clean_exit(ctx, client_sock); } } } /* Shut down the socket */ clean_exit(ctx, sock); return (0); }
/* Bulk generate client keys from file */ int k_bulkload(const char *cmdbulk) { int i = 1; FILE *fp, *infp; char str1[STR_SIZE + 1]; char str2[STR_SIZE + 1]; os_md5 md1; os_md5 md2; char line[FILE_SIZE + 1]; char name[FILE_SIZE + 1]; char id[FILE_SIZE + 1]; char ip[FILE_SIZE + 1]; char delims[] = ","; char *token = NULL; /* Check if we can open the input file */ printf("Opening: [%s]\n", cmdbulk); infp = fopen(cmdbulk, "r"); if (!infp) { perror("Failed."); ErrorExit(FOPEN_ERROR, ARGV0, cmdbulk, errno, strerror(errno)); } /* Check if we can open the auth_file */ fp = fopen(AUTH_FILE, "a"); if (!fp) { ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); } fclose(fp); while (fgets(line, FILE_SIZE - 1, infp) != NULL) { os_ip c_ip; c_ip.ip = NULL; if (1 >= strlen(trimwhitespace(line))) { continue; } memset(ip, '\0', FILE_SIZE + 1); token = strtok(line, delims); strncpy(ip, trimwhitespace(token), FILE_SIZE - 1); memset(name, '\0', FILE_SIZE + 1); token = strtok(NULL, delims); strncpy(name, trimwhitespace(token), FILE_SIZE - 1); #ifndef WIN32 if (chmod(AUTH_FILE, 0440) == -1) { ErrorExit(CHMOD_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); } #endif /* Set time 2 */ time2 = time(0); srandom_init(); rand1 = random(); /* Zero strings */ memset(str1, '\0', STR_SIZE + 1); memset(str2, '\0', STR_SIZE + 1); /* Check the name */ if (!OS_IsValidName(name)) { printf(INVALID_NAME, name); continue; } /* Search for name -- no duplicates */ if (NameExist(name)) { printf(ADD_ERROR_NAME, name); continue; } if (!OS_IsValidIP(ip, &c_ip)) { printf(IP_ERROR, ip); continue; } /* Default ID */ i = MAX_AGENTS + 32512; snprintf(id, 8, "%03d", i); while (!IDExist(id)) { i--; snprintf(id, 8, "%03d", i); /* No key present, use id 0 */ if (i <= 0) { i = 0; break; } } snprintf(id, 8, "%03d", i + 1); if (!OS_IsValidID(id)) { printf(INVALID_ID, id); goto cleanup; } /* Search for ID KEY -- no duplicates */ if (IDExist(id)) { printf(NO_DEFAULT, i + 1); goto cleanup; } printf(AGENT_INFO, id, name, ip); fflush(stdout); time3 = time(0); rand2 = random(); fp = fopen(AUTH_FILE, "a"); if (!fp) { ErrorExit(FOPEN_ERROR, ARGV0, KEYS_FILE, errno, strerror(errno)); } #ifndef WIN32 if (chmod(AUTH_FILE, 0440) == -1) { ErrorExit(CHMOD_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); } #endif /* Random 1: Time took to write the agent information * Random 2: Time took to choose the action * Random 3: All of this + time + pid * Random 4: MD5 all of this + the name, key and IP * Random 5: Final key */ snprintf(str1, STR_SIZE, "%d%s%d", (int)(time3 - time2), name, (int)rand1); snprintf(str2, STR_SIZE, "%d%s%s%d", (int)(time2 - time1), ip, id, (int)rand2); OS_MD5_Str(str1, md1); OS_MD5_Str(str2, md2); snprintf(str1, STR_SIZE, "%s%d%d%d", md1, (int)getpid(), (int)random(), (int)time3); OS_MD5_Str(str1, md1); fprintf(fp, "%s %s %s %s%s\n", id, name, c_ip.ip, md1, md2); fclose(fp); printf(AGENT_ADD); restart_necessary = 1; cleanup: free(c_ip.ip); }; fclose(infp); return (0); }
char *OS_AddNewAgent(const char *name, const char *ip, const char *id) { FILE *fp; os_md5 md1; os_md5 md2; char str1[STR_SIZE + 1]; char str2[STR_SIZE + 1]; char *muname; char *finals; char nid[9] = { '\0' }; srandom_init(); muname = getuname(); snprintf(str1, STR_SIZE, "%d%s%d%s", (int)time(0), name, (int)random(), muname); snprintf(str2, STR_SIZE, "%s%s%ld", ip, id, (long int)random()); OS_MD5_Str(str1, md1); OS_MD5_Str(str2, md2); free(muname); if (id == NULL) { #ifdef REUSE_ID int i = 1024; snprintf(nid, 6, "%d", i); while (IDExist(nid)) { i++; snprintf(nid, 6, "%d", i); if (i >= (MAX_AGENTS + 1024)) return (NULL); } #else char nid_p[9] = { '\0' }; int i = AUTHD_FIRST_ID; int j = MAX_AGENTS + AUTHD_FIRST_ID; int m = (i + j) / 2; snprintf(nid, 8, "%d", m); snprintf(nid_p, 8, "%d", m - 1); /* Dichotomic search */ while (1) { if (IDExist(nid)) { if (m == i) return NULL; i = m; } else if (!IDExist(nid_p) && m > i ) j = m; else break; m = (i + j) / 2; snprintf(nid, 8, "%d", m); snprintf(nid_p, 8, "%d", m - 1); } #endif id = nid; } fp = fopen(AUTH_FILE, "a"); if (!fp) { return (NULL); } os_calloc(2048, sizeof(char), finals); if (ip == NULL) { snprintf(finals, 2048, "%s %s any %s%s", id, name, md1, md2); } else { snprintf(finals, 2048, "%s %s %s %s%s", id, name, ip, md1, md2); } fprintf(fp, "%s\n", finals); fclose(fp); OS_AddAgentTimestamp(id, name, ip, time(0)); return (finals); }