int main(int argc, char **argv)
{
os_md5 filesum1;
os_sha1 filesum2;
if (argc < 4) {
usage(argv);
}
if (strcmp(argv[2], "file") == 0) {
OS_MD5_SHA1_File(argv[3], argv[1], filesum1, filesum2, OS_BINARY);
}
else {
usage(argv);
}
printf("MD5Sha1Sum for \"%s\" is: %s - %s\n", argv[2], filesum1, filesum2);
return (0);
}
/* Read and generate the integrity data of a file */
static int read_file(const char *file_name, int opts, OSMatch *restriction)
{
char *buf;
char sha1s = '+';
struct stat statbuf;
/* Check if the file should be ignored */
if (syscheck.ignore) {
int i = 0;
while (syscheck.ignore[i] != NULL) {
if (strncasecmp(syscheck.ignore[i], file_name,
strlen(syscheck.ignore[i])) == 0) {
return (0);
}
i++;
}
}
/* Check in the regex entry */
if (syscheck.ignore_regex) {
int i = 0;
while (syscheck.ignore_regex[i] != NULL) {
if (OSMatch_Execute(file_name, strlen(file_name),
syscheck.ignore_regex[i])) {
return (0);
}
i++;
}
}
#ifdef WIN32
/* Win32 does not have lstat */
if (stat(file_name, &statbuf) < 0)
#else
if (lstat(file_name, &statbuf) < 0)
#endif
{
if(errno == ENOTDIR){
/*Deletion message sending*/
char alert_msg[PATH_MAX+4];
alert_msg[PATH_MAX + 3] = '\0';
snprintf(alert_msg, PATH_MAX + 4, "-1 %s", file_name);
send_syscheck_msg(alert_msg);
return (0);
}else{
merror("%s: Error accessing '%s'.", ARGV0, file_name);
return (-1);
}
}
if (S_ISDIR(statbuf.st_mode)) {
#ifdef DEBUG
verbose("%s: Reading dir: %s\n", ARGV0, file_name);
#endif
#ifdef WIN32
/* Directory links are not supported */
if (GetFileAttributes(file_name) & FILE_ATTRIBUTE_REPARSE_POINT) {
merror("%s: WARN: Links are not supported: '%s'", ARGV0, file_name);
return (-1);
}
#endif
return (read_dir(file_name, opts, restriction));
}
/* Restrict file types */
if (restriction) {
if (!OSMatch_Execute(file_name, strlen(file_name),
restriction)) {
return (0);
}
}
/* No S_ISLNK on Windows */
#ifdef WIN32
if (S_ISREG(statbuf.st_mode))
#else
if (S_ISREG(statbuf.st_mode) || S_ISLNK(statbuf.st_mode))
#endif
{
os_md5 mf_sum;
os_sha1 sf_sum;
os_sha1 sf_sum2;
os_sha1 sf_sum3;
/* Clean sums */
strncpy(mf_sum, "xxx", 4);
strncpy(sf_sum, "xxx", 4);
strncpy(sf_sum2, "xxx", 4);
strncpy(sf_sum3, "xxx", 4);
/* Generate checksums */
if ((opts & CHECK_MD5SUM) || (opts & CHECK_SHA1SUM)) {
/* If it is a link, check if dest is valid */
#ifndef WIN32
if (S_ISLNK(statbuf.st_mode)) {
struct stat statbuf_lnk;
if (stat(file_name, &statbuf_lnk) == 0) {
if (S_ISREG(statbuf_lnk.st_mode)) {
if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0) {
strncpy(mf_sum, "xxx", 4);
strncpy(sf_sum, "xxx", 4);
}
}
}
} else if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0)
#else
if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum, OS_BINARY) < 0)
#endif
{
strncpy(mf_sum, "xxx", 4);
strncpy(sf_sum, "xxx", 4);
}
if (opts & CHECK_SEECHANGES) {
sha1s = 's';
}
} else {
if (opts & CHECK_SEECHANGES) {
sha1s = 'n';
} else {
sha1s = '-';
}
}
buf = (char *) OSHash_Get(syscheck.fp, file_name);
if (!buf) {
char alert_msg[916 + 1]; /* to accommodate a long */
alert_msg[916] = '\0';
if (opts & CHECK_SEECHANGES) {
char *alertdump = seechanges_addfile(file_name);
if (alertdump) {
free(alertdump);
alertdump = NULL;
}
}
snprintf(alert_msg, 916, "%c%c%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s:%s:%s:%ld:%ld",
opts & CHECK_SIZE ? '+' : '-',
opts & CHECK_PERM ? '+' : '-',
opts & CHECK_OWNER ? '+' : '-',
opts & CHECK_GROUP ? '+' : '-',
opts & CHECK_MD5SUM ? '+' : '-',
sha1s,
opts & CHECK_MTIME ? '+' : '-',
opts & CHECK_INODE ? '+' : '-',
opts & CHECK_SIZE ? (long)statbuf.st_size : 0,
opts & CHECK_PERM ? (int)statbuf.st_mode : 0,
opts & CHECK_OWNER ? (int)statbuf.st_uid : 0,
opts & CHECK_GROUP ? (int)statbuf.st_gid : 0,
opts & CHECK_MD5SUM ? mf_sum : "xxx",
opts & CHECK_SHA1SUM ? sf_sum : "xxx",
opts & CHECK_OWNER ? get_user(file_name, statbuf.st_uid) : "",
opts & CHECK_GROUP ? get_group(statbuf.st_gid) : "",
opts & CHECK_MTIME ? (long)statbuf.st_mtime : 0,
opts & CHECK_INODE ? (long)statbuf.st_ino : 0);
if (OSHash_Add(syscheck.fp, file_name, strdup(alert_msg)) <= 0) {
merror("%s: ERROR: Unable to add file to db: %s", ARGV0, file_name);
}
/* Send the new checksum to the analysis server */
alert_msg[916] = '\0';
snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s:%s:%s:%ld:%ld %s",
opts & CHECK_SIZE ? (long)statbuf.st_size : 0,
opts & CHECK_PERM ? (int)statbuf.st_mode : 0,
opts & CHECK_OWNER ? (int)statbuf.st_uid : 0,
opts & CHECK_GROUP ? (int)statbuf.st_gid : 0,
opts & CHECK_MD5SUM ? mf_sum : "xxx",
opts & CHECK_SHA1SUM ? sf_sum : "xxx",
opts & CHECK_OWNER ? get_user(file_name, statbuf.st_uid) : "",
opts & CHECK_GROUP ? get_group(statbuf.st_gid) : "",
opts & CHECK_MTIME ? (long)statbuf.st_mtime : 0,
opts & CHECK_INODE ? (long)statbuf.st_ino : 0,
file_name);
send_syscheck_msg(alert_msg);
} else {
char alert_msg[OS_MAXSTR + 1];
char c_sum[256 + 2];
c_sum[0] = '\0';
c_sum[256] = '\0';
alert_msg[0] = '\0';
alert_msg[OS_MAXSTR] = '\0';
/* If it returns < 0, we have already alerted */
if (c_read_file(file_name, buf, c_sum) < 0) {
return (0);
}
if (strcmp(c_sum, buf + 6) != 0) {
/* Send the new checksum to the analysis server */
alert_msg[OS_MAXSTR] = '\0';
char *fullalert = NULL;
if (buf[5] == 's' || buf[5] == 'n') {
fullalert = seechanges_addfile(file_name);
if (fullalert) {
snprintf(alert_msg, OS_MAXSTR, "%s %s\n%s", c_sum, file_name, fullalert);
free(fullalert);
fullalert = NULL;
} else {
snprintf(alert_msg, 916, "%s %s", c_sum, file_name);
}
} else {
snprintf(alert_msg, 916, "%s %s", c_sum, file_name);
}
send_syscheck_msg(alert_msg);
}
}
/* Sleep here too */
if (__counter >= (syscheck.sleep_after)) {
sleep(syscheck.tsleep);
__counter = 0;
}
__counter++;
#ifdef DEBUG
verbose("%s: file '%s %s'", ARGV0, file_name, mf_sum);
#endif
} else {
#ifdef DEBUG
verbose("%s: *** IRREG file: '%s'\n", ARGV0, file_name);
#endif
}
return (0);
}
/* Read file information and return a pointer to the checksum */
int c_read_file(const char *file_name, const char *oldsum, char *newsum)
{
int size = 0, perm = 0, owner = 0, group = 0, md5sum = 0, sha1sum = 0;
struct stat statbuf;
os_md5 mf_sum;
os_sha1 sf_sum;
/* Clean sums */
strncpy(mf_sum, "xxx", 4);
strncpy(sf_sum, "xxx", 4);
/* Stat the file */
#ifdef WIN32
if (stat(file_name, &statbuf) < 0)
#else
if (lstat(file_name, &statbuf) < 0)
#endif
{
char alert_msg[912 + 2];
alert_msg[912 + 1] = '\0';
snprintf(alert_msg, 912, "-1 %s", file_name);
send_syscheck_msg(alert_msg);
return (-1);
}
/* Get the old sum values */
/* size */
if (oldsum[0] == '+') {
size = 1;
}
/* perm */
if (oldsum[1] == '+') {
perm = 1;
}
/* owner */
if (oldsum[2] == '+') {
owner = 1;
}
/* group */
if (oldsum[3] == '+') {
group = 1;
}
/* md5 sum */
if (oldsum[4] == '+') {
md5sum = 1;
}
/* sha1 sum */
if (oldsum[5] == '+') {
sha1sum = 1;
} else if (oldsum[5] == 's') {
sha1sum = 1;
} else if (oldsum[5] == 'n') {
sha1sum = 0;
}
/* Generate new checksum */
#ifdef WIN32
if (S_ISREG(statbuf.st_mode))
#else
if (S_ISREG(statbuf.st_mode))
#endif
{
if (sha1sum || md5sum) {
/* Generate checksums of the file */
if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum) < 0) {
strncpy(sf_sum, "xxx", 4);
strncpy(mf_sum, "xxx", 4);
}
}
}
#ifndef WIN32
/* If it is a link, check if the actual file is valid */
else if (S_ISLNK(statbuf.st_mode)) {
struct stat statbuf_lnk;
if (stat(file_name, &statbuf_lnk) == 0) {
if (S_ISREG(statbuf_lnk.st_mode)) {
if (sha1sum || md5sum) {
/* Generate checksums of the file */
if (OS_MD5_SHA1_File(file_name, syscheck.prefilter_cmd, mf_sum, sf_sum) < 0) {
strncpy(sf_sum, "xxx", 4);
strncpy(mf_sum, "xxx", 4);
}
}
}
}
}
#endif
newsum[0] = '\0';
newsum[255] = '\0';
snprintf(newsum, 255, "%ld:%d:%d:%d:%s:%s",
size == 0 ? 0 : (long)statbuf.st_size,
perm == 0 ? 0 : (int)statbuf.st_mode,
owner == 0 ? 0 : (int)statbuf.st_uid,
group == 0 ? 0 : (int)statbuf.st_gid,
md5sum == 0 ? "xxx" : mf_sum,
sha1sum == 0 ? "xxx" : sf_sum);
return (0);
}
