END_TEST
START_TEST(test_osgetonecontentforelement)
{
char xml_file_name[256];
create_xml_file("<root><child>test</child><child>test2</child><child2>test</child2></root>", xml_file_name, 256);
OS_XML xml;
ck_assert_int_eq(OS_ReadXML(xml_file_name, &xml), 0);
ck_assert_int_eq(OS_ApplyVariables(&xml), 0);
const char *xml_path1[] = { "root", "child", NULL };
const char *xml_path2[] = { "root", "child2", NULL };
const char *xml_path3[] = { "root", "child3", NULL };
char *content1, *content2;
ck_assert_str_eq(content1 = OS_GetOneContentforElement(&xml, xml_path1), "test");
ck_assert_str_eq(content2 = OS_GetOneContentforElement(&xml, xml_path2), "test");
ck_assert_ptr_eq(OS_GetOneContentforElement(&xml, xml_path3), NULL);
free(content1);
free(content2);
OS_ClearXML(&xml);
unlink(xml_file_name);
}
/* Get OSSEC Server IP */
int get_ossec_server()
{
OS_XML xml;
char *str = NULL;
/* Definitions */
const char *(xml_serverip[]) = {"ossec_config", "client", "server-ip", NULL};
const char *(xml_serverhost[]) = {"ossec_config", "client", "server-hostname", NULL};
/* Read XML */
if (OS_ReadXML(CONFIG, &xml) < 0) {
return (0);
}
/* We need to remove the entry for the server */
if (config_inst.server) {
free(config_inst.server);
config_inst.server = NULL;
}
config_inst.server_type = 0;
/* Get IP */
str = OS_GetOneContentforElement(&xml, xml_serverip);
if (str && (OS_IsValidIP(str, NULL) == 1)) {
config_inst.server_type = SERVER_IP_USED;
config_inst.server = str;
OS_ClearXML(&xml);
return (1);
}
/* If we don't find the IP, try the server hostname */
else {
if (str) {
free(str);
str = NULL;
}
str = OS_GetOneContentforElement(&xml, xml_serverhost);
if (str) {
char *s_ip;
s_ip = OS_GetHost(str, 0);
if (s_ip) {
/* Clear the host memory */
free(s_ip);
/* Assign the hostname to the server info */
config_inst.server_type = SERVER_HOST_USED;
config_inst.server = str;
OS_ClearXML(&xml);
return (1);
}
free(str);
}
}
/* Set up final server name when not available */
config_inst.server = strdup(FL_NOSERVER);
OS_ClearXML(&xml);
return (0);
}
/* ExecdConfig v0.1, 2006/03/24
* Read the config file
*/
int ExecdConfig(char * cfgfile)
{
extern int repeated_offenders_timeout[];
#ifdef WIN32
int is_disabled = 1;
#else
int is_disabled = 0;
#endif
const char *(xmlf[]) = {"ossec_config", "active-response", "disabled", NULL};
const char *(blocks[]) = {"ossec_config", "active-response", "repeated_offenders", NULL};
char *disable_entry;
char *repeated_t;
char **repeated_a;
OS_XML xml;
/* Reading XML file */
if(OS_ReadXML(cfgfile,&xml) < 0)
{
ErrorExit(XML_ERROR, ARGV0, cfgfile, xml.err, xml.err_line);
}
/* We do not validate the xml in here. It is done by other processes */
disable_entry = OS_GetOneContentforElement(&xml, xmlf);
if(disable_entry)
{
if(strcmp(disable_entry, "yes") == 0)
{
is_disabled = 1;
}
else if(strcmp(disable_entry, "no") == 0)
{
is_disabled = 0;
}
else
{
merror(XML_VALUEERR, ARGV0,
"disabled",
disable_entry);
return(-1);
}
}
repeated_t = OS_GetOneContentforElement(&xml, blocks);
if(repeated_t)
{
int i = 0;
int j = 0;
repeated_a = OS_StrBreak(',', repeated_t, 5);
if(!repeated_a)
{
merror(XML_VALUEERR, ARGV0,
"repeated_offenders",
disable_entry);
return(-1);
}
while(repeated_a[i] != NULL)
{
char *tmpt = repeated_a[i];
while(*tmpt != '\0')
{
if(*tmpt == ' ' || *tmpt == '\t')
tmpt++;
else
break;
}
if(*tmpt == '\0')
{
i++;
continue;
}
repeated_offenders_timeout[j] = atoi(tmpt);
verbose("%s: INFO: Adding offenders timeout: %d (for #%d)",
ARGV0, repeated_offenders_timeout[j], j+1);
j++;
repeated_offenders_timeout[j] = 0;
if(j >= 6) break;
i++;
}
}
OS_ClearXML(&xml);
return(is_disabled);
}
/* Read the rootcheck config */
int Read_Rootcheck_Config(const char *cfgfile)
{
OS_XML xml;
#ifdef OSSECHIDS
char *str = NULL;
#endif
/* XML Definitions */
const char *(xml_base_dir[]) = {xml_rootcheck, "base_directory", NULL};
const char *(xml_workdir[]) = {xml_rootcheck, "work_directory", NULL};
const char *(xml_rootkit_files[]) = {xml_rootcheck, "rootkit_files", NULL};
const char *(xml_rootkit_trojans[]) = {xml_rootcheck, "rootkit_trojans", NULL};
const char *(xml_rootkit_unixaudit[]) = {xml_rootcheck, "system_audit", NULL};
const char *(xml_rootkit_winaudit[]) = {xml_rootcheck, "windows_audit", NULL};
const char *(xml_rootkit_winapps[]) = {xml_rootcheck, "windows_apps", NULL};
const char *(xml_rootkit_winmalware[]) = {xml_rootcheck, "windows_malware", NULL};
const char *(xml_scanall[]) = {xml_rootcheck, "scanall", NULL};
const char *(xml_readall[]) = {xml_rootcheck, "readall", NULL};
#ifdef OSSECHIDS
const char *(xml_time[]) = {xml_rootcheck, "frequency", NULL};
#endif
const char *(xml_check_dev[]) = {xml_rootcheck, "check_dev", NULL};
const char *(xml_check_files[]) = {xml_rootcheck, "check_files", NULL};
const char *(xml_check_if[]) = {xml_rootcheck, "check_if", NULL};
const char *(xml_check_pids[]) = {xml_rootcheck, "check_pids", NULL};
const char *(xml_check_ports[]) = {xml_rootcheck, "check_ports", NULL};
const char *(xml_check_sys[]) = {xml_rootcheck, "check_sys", NULL};
const char *(xml_check_trojans[]) = {xml_rootcheck, "check_trojans", NULL};
#ifdef WIN32
const char *(xml_check_winapps[]) = {xml_rootcheck, "check_winapps", NULL};
const char *(xml_check_winaudit[]) = {xml_rootcheck, "check_winaudit", NULL};
const char *(xml_check_winmalware[]) = {xml_rootcheck, "check_winmalware", NULL};
#else
const char *(xml_check_unixaudit[]) = {xml_rootcheck, "check_unixaudit", NULL};
#endif
#ifdef OSSECHIDS
/* :) */
xml_time[2] = NULL;
#endif
if (OS_ReadXML(cfgfile, &xml) < 0) {
merror("config_op: XML error: %s", xml.err);
return (OS_INVALID);
}
if (!OS_RootElementExist(&xml, xml_rootcheck)) {
OS_ClearXML(&xml);
merror("%s: Rootcheck configuration not found. ", ARGV0);
return (-1);
}
#ifdef OSSECHIDS
/* time */
str = OS_GetOneContentforElement(&xml, xml_time);
if (str) {
if (!OS_StrIsNum(str)) {
merror("Invalid frequency time '%s' for the rootkit "
"detection (must be int).", str);
return (OS_INVALID);
}
rootcheck.time = atoi(str);
free(str);
str = NULL;
}
#endif /* OSSECHIDS */
/* Scan all flags */
if (!rootcheck.scanall) {
rootcheck.scanall = eval_bool2(OS_GetOneContentforElement(&xml, xml_scanall), 0);
}
/* Read all flags */
if (!rootcheck.readall) {
rootcheck.readall = eval_bool2(OS_GetOneContentforElement(&xml, xml_readall), 0);
}
/* Get work directory */
if (!rootcheck.workdir) {
rootcheck.workdir = OS_GetOneContentforElement(&xml, xml_workdir);
}
rootcheck.rootkit_files = OS_GetOneContentforElement
(&xml, xml_rootkit_files);
rootcheck.rootkit_trojans = OS_GetOneContentforElement
(&xml, xml_rootkit_trojans);
rootcheck.unixaudit = OS_GetContents
(&xml, xml_rootkit_unixaudit);
rootcheck.winaudit = OS_GetOneContentforElement
(&xml, xml_rootkit_winaudit);
rootcheck.winapps = OS_GetOneContentforElement
(&xml, xml_rootkit_winapps);
rootcheck.winmalware = OS_GetOneContentforElement
(&xml, xml_rootkit_winmalware);
rootcheck.basedir = OS_GetOneContentforElement(&xml, xml_base_dir);
rootcheck.checks.rc_dev = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_dev), 1);
rootcheck.checks.rc_files = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_files), 1);
rootcheck.checks.rc_if = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_if), 1);
rootcheck.checks.rc_pids = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_pids), 1);
rootcheck.checks.rc_ports = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_ports), 1);
rootcheck.checks.rc_sys = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_sys), 1);
rootcheck.checks.rc_trojans = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_trojans), 1);
#ifdef WIN32
rootcheck.checks.rc_winapps = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winapps), 1);
rootcheck.checks.rc_winaudit = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winaudit), 1);
rootcheck.checks.rc_winmalware = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winmalware), 1);
#else
rootcheck.checks.rc_unixaudit = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_unixaudit), 1);
#endif /* WIN32 */
OS_ClearXML(&xml);
return (0);
}
int main(int argc, char **argv)
{
int c, test_config = 0, run_foreground = 0;
int uid=0,gid=0;
char *dir = DEFAULTDIR;
char *user = USER;
char *group = GROUPGLOBAL;
char *cfg = DEFAULTCPATH;
/* Initializing global variables */
mond.a_queue = 0;
/* Setting the name */
OS_SetName(ARGV0);
while((c = getopt(argc, argv, "Vdhtfu:g:D:c:")) != -1){
switch(c){
case 'V':
print_version();
break;
case 'h':
help(ARGV0);
break;
case 'd':
nowDebug();
break;
case 'f':
run_foreground = 1;
break;
case 'u':
if(!optarg)
ErrorExit("%s: -u needs an argument",ARGV0);
user=optarg;
break;
case 'g':
if(!optarg)
ErrorExit("%s: -g needs an argument",ARGV0);
group=optarg;
break;
case 'D':
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir=optarg;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
cfg = optarg;
break;
case 't':
test_config = 1;
break;
default:
help(ARGV0);
break;
}
}
/* Starting daemon */
debug1(STARTED_MSG,ARGV0);
/*Check if the user/group given are valid */
uid = Privsep_GetUser(user);
gid = Privsep_GetGroup(group);
if((uid < 0)||(gid < 0))
ErrorExit(USER_ERROR,ARGV0,user,group);
/* Getting config options */
mond.day_wait = getDefine_Int("monitord",
"day_wait",
5,240);
mond.compress = getDefine_Int("monitord",
"compress",
0,1);
mond.sign = getDefine_Int("monitord","sign",0,1);
mond.monitor_agents = getDefine_Int("monitord","monitor_agents",0,1);
mond.agents = NULL;
mond.smtpserver = NULL;
mond.emailfrom = NULL;
c = 0;
c|= CREPORTS;
if(ReadConfig(c, cfg, &mond, NULL) < 0)
{
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
/* If we have any reports configured, read smtp/emailfrom */
if(mond.reports)
{
OS_XML xml;
char *tmpsmtp;
char *(xml_smtp[])={"ossec_config", "global", "smtp_server", NULL};
char *(xml_from[])={"ossec_config", "global", "email_from", NULL};
if(OS_ReadXML(cfg, &xml) < 0)
{
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
tmpsmtp = OS_GetOneContentforElement(&xml,xml_smtp);
mond.emailfrom = OS_GetOneContentforElement(&xml,xml_from);
if(tmpsmtp && mond.emailfrom)
{
mond.smtpserver = OS_GetHost(tmpsmtp, 5);
if(!mond.smtpserver)
{
merror(INVALID_SMTP, ARGV0, tmpsmtp);
if(mond.emailfrom) free(mond.emailfrom);
mond.emailfrom = NULL;
merror("%s: Invalid SMTP server. Disabling email reports.", ARGV0);
}
}
else
{
if(tmpsmtp) free(tmpsmtp);
if(mond.emailfrom) free(mond.emailfrom);
mond.emailfrom = NULL;
merror("%s: SMTP server or 'email from' missing. Disabling email reports.", ARGV0);
}
OS_ClearXML(&xml);
}
/* Exit here if test config is set */
if(test_config)
exit(0);
if (!run_foreground)
{
/* Going on daemon mode */
nowDaemon();
goDaemon();
}
/* Privilege separation */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
/* chrooting */
if(Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR,ARGV0,dir);
nowChroot();
/* Changing user */
if(Privsep_SetUser(uid) < 0)
ErrorExit(SETUID_ERROR,ARGV0,user);
debug1(PRIVSEP_MSG,ARGV0,dir,user);
/* Signal manipulation */
StartSIG(ARGV0);
/* Creating PID files */
if(CreatePID(ARGV0, getpid()) < 0)
ErrorExit(PID_ERROR,ARGV0);
/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());
/* the real daemon now */
Monitord();
exit(0);
}
/* Read_Rootcheck_Config: Reads the rootcheck config
*/
int Read_Rootcheck_Config(char * cfgfile)
{
OS_XML xml;
char *str = NULL;
/* XML Definitions */
char *(xml_daemon[])={xml_rootcheck,"daemon", NULL};
char *(xml_notify[])={xml_rootcheck, "notify", NULL};
char *(xml_base_dir[])={xml_rootcheck, "base_directory", NULL};
char *(xml_workdir[])={xml_rootcheck, "work_directory", NULL};
char *(xml_rootkit_files[])={xml_rootcheck, "rootkit_files", NULL};
char *(xml_rootkit_trojans[])={xml_rootcheck, "rootkit_trojans", NULL};
char *(xml_rootkit_unixaudit[])={xml_rootcheck, "system_audit", NULL};
char *(xml_rootkit_winaudit[])={xml_rootcheck, "windows_audit", NULL};
char *(xml_rootkit_winapps[])={xml_rootcheck, "windows_apps", NULL};
char *(xml_rootkit_winmalware[])={xml_rootcheck, "windows_malware", NULL};
char *(xml_scanall[])={xml_rootcheck, "scanall", NULL};
char *(xml_readall[])={xml_rootcheck, "readall", NULL};
char *(xml_time[])={xml_rootcheck, "frequency", NULL};
/* :) */
xml_time[2] = NULL;
if(OS_ReadXML(cfgfile,&xml) < 0)
{
merror("config_op: XML error: %s",xml.err);
return(OS_INVALID);
}
if(!OS_RootElementExist(&xml,xml_rootcheck))
{
OS_ClearXML(&xml);
merror("%s: Rootcheck configuration not found. ",ARGV0);
return(-1);
}
/* run as a daemon */
str = OS_GetOneContentforElement(&xml,xml_daemon);
if(str)
{
if(str[0] == 'n')
rootcheck.daemon = 0;
free(str);
str = NULL;
}
/* time */
#ifdef OSSECHIDS
str = OS_GetOneContentforElement(&xml,xml_time);
if(str)
{
if(!OS_StrIsNum(str))
{
merror("Invalid frequency time '%s' for the rootkit "
"detection (must be int).", str);
return(OS_INVALID);
}
rootcheck.time = atoi(str);
free(str);
str = NULL;
}
#endif
/* Scan all flag */
if(!rootcheck.scanall)
{
str = OS_GetOneContentforElement(&xml,xml_scanall);
if(str)
{
if(str[0] == 'y')
rootcheck.scanall = 1;
free(str);
str = NULL;
}
}
/* read all flag */
if(!rootcheck.readall)
{
str = OS_GetOneContentforElement(&xml,xml_readall);
if(str)
{
if(str[0] == 'y')
rootcheck.readall = 1;
free(str);
str = NULL;
}
}
/* Notifications type */
str = OS_GetOneContentforElement(&xml,xml_notify);
if(str)
{
if(strcasecmp(str,"queue") == 0)
rootcheck.notify = QUEUE;
else if(strcasecmp(str,"syslog") == 0)
rootcheck.notify = SYSLOG;
else
{
merror("%s: Invalid notification option. Only "
"'syslog' or 'queue' are allowed.",ARGV0);
return(-1);
}
free(str);
str = NULL;
}
else
{
/* Default to SYSLOG */
rootcheck.notify = SYSLOG;
}
/* Getting work directory */
if(!rootcheck.workdir)
rootcheck.workdir = OS_GetOneContentforElement(&xml,xml_workdir);
rootcheck.rootkit_files = OS_GetOneContentforElement
(&xml,xml_rootkit_files);
rootcheck.rootkit_trojans = OS_GetOneContentforElement
(&xml,xml_rootkit_trojans);
rootcheck.unixaudit = OS_GetContents
(&xml,xml_rootkit_unixaudit);
rootcheck.winaudit = OS_GetOneContentforElement
(&xml,xml_rootkit_winaudit);
rootcheck.winapps = OS_GetOneContentforElement
(&xml,xml_rootkit_winapps);
rootcheck.winmalware = OS_GetOneContentforElement
(&xml,xml_rootkit_winmalware);
rootcheck.basedir = OS_GetOneContentforElement(&xml, xml_base_dir);
OS_ClearXML(&xml);
debug1("%s: DEBUG: Daemon set to '%d'",ARGV0, rootcheck.daemon);
debug1("%s: DEBUG: alert set to '%d'",ARGV0, rootcheck.notify);
return(0);
}
