/* Special decoder for syscheck
* Not using the default decoding lib for simplicity
* and to be less resource intensive
*/
int DecodeSyscheck(Eventinfo *lf)
{
char *c_sum;
char *f_name;
/* Every syscheck message must be in the following format:
* checksum filename
*/
f_name = strchr(lf->log, ' ');
if (f_name == NULL) {
/* If we don't have a valid syscheck message, it may be
* a database completed message
*/
if (strcmp(lf->log, HC_SK_DB_COMPLETED) == 0) {
DB_SetCompleted(lf);
return (0);
}
merror(SK_INV_MSG, ARGV0);
return (0);
}
/* Zero to get the check sum */
*f_name = '\0';
f_name++;
/* Get diff */
lf->data = strchr(f_name, '\n');
if (lf->data) {
*lf->data = '\0';
lf->data++;
} else {
lf->data = NULL;
}
/* Check if file is supposed to be ignored */
if (Config.syscheck_ignore) {
char **ff_ig = Config.syscheck_ignore;
while (*ff_ig) {
if (strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0) {
lf->data = NULL;
return (0);
}
ff_ig++;
}
}
/* Checksum is at the beginning of the log */
c_sum = lf->log;
/* Search for file changes */
return (DB_Search(f_name, c_sum, lf));
}
/* Special decoder for syscheck
* Not using the default decoding lib for simplicity
* and to be less resource intensive
*/
int DecodeSyscheck(Eventinfo *lf)
{
const char *c_sum;
char *f_name;
#ifdef SQLITE_ENABLED
char *p;
char stmt[OS_MAXSTR + 1];
sqlite3_stmt *res;
int error = 0;
int rec_count = 0;
const char *tail;
#endif // SQLITE_ENABLED
/* Every syscheck message must be in the following format:
* checksum filename
*/
f_name = strchr(lf->log, ' ');
if (f_name == NULL) {
/* If we don't have a valid syscheck message, it may be
* a database completed message
*/
if (strcmp(lf->log, HC_SK_DB_COMPLETED) == 0) {
DB_SetCompleted(lf);
return (0);
}
merror(SK_INV_MSG, ARGV0);
return (0);
}
/* Zero to get the check sum */
*f_name = '\0';
f_name++;
/* Get diff */
lf->data = strchr(f_name, '\n');
if (lf->data) {
*lf->data = '\0';
lf->data++;
} else {
lf->data = NULL;
}
/* Check if file is supposed to be ignored */
if (Config.syscheck_ignore) {
char **ff_ig = Config.syscheck_ignore;
while (*ff_ig) {
if (strncasecmp(*ff_ig, f_name, strlen(*ff_ig)) == 0) {
lf->data = NULL;
return (0);
}
ff_ig++;
}
}
/* Checksum is at the beginning of the log */
c_sum = lf->log;
/* Extract the MD5 hash and search for it in the allowlist
* Sample message:
* 0:0:0:0:78f5c869675b1d09ddad870adad073f9:bd6c8d7a58b462aac86475e59af0e22954039c50
*/
#ifdef SQLITE_ENABLED
if (Config.md5_allowlist) {
extern sqlite3 *conn;
if ((p = extract_token(c_sum, ":", 4))) {
if (!validate_md5(p)) { /* Never trust input from other origin */
merror("%s: Not a valid MD5 hash: '%s'", ARGV0, p);
return(0);
}
debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5_allowlist);
sprintf(stmt, "select md5sum from files where md5sum = \"%s\"", p);
error = sqlite3_prepare_v2(conn, stmt, 1000, &res, &tail);
if (error == SQLITE_OK) {
while (sqlite3_step(res) == SQLITE_ROW) {
rec_count++;
}
if (rec_count) {
sqlite3_finalize(res);
//sqlite3_close(conn);
merror(MD5_NOT_CHECKED, ARGV0, p);
return(0);
}
}
sqlite3_finalize(res);
}
}
#endif
/* Search for file changes */
return (DB_Search(f_name, c_sum, lf));
}
