/* Sends syscheck db to the server. */ void send_sk_db() { /* Sending scan start message */ if(syscheck.dir[0]) { merror("%s: INFO: Starting syscheck scan (forwarding database).", ARGV0); send_rootcheck_msg("Starting syscheck scan."); } else { sleep(syscheck.tsleep +10); return; } create_db(1); /* Sending scan ending message */ sleep(syscheck.tsleep +10); if(syscheck.dir[0]) { merror("%s: INFO: Ending syscheck scan (forwarding database).", ARGV0); send_rootcheck_msg("Ending syscheck scan."); } }
/* Periodically run the integrity checker */ void start_daemon() { int day_scanned = 0; int curr_day = 0; time_t curr_time = 0; time_t prev_time_rk = 0; time_t prev_time_sk = 0; char curr_hour[12]; struct tm *p; #ifdef INOTIFY_ENABLED /* To be used by select */ struct timeval selecttime; fd_set rfds; #endif /* SCHED_BATCH forces the kernel to assume this is a cpu intensive * process and gives it a lower priority. This keeps ossec-syscheckd * from reducing the interactity of an ssh session when checksumming * large files. This is available in kernel flavors >= 2.6.16. */ #ifdef SCHED_BATCH struct sched_param pri; int status; pri.sched_priority = 0; status = sched_setscheduler(0, SCHED_BATCH, &pri); debug1("%s: Setting SCHED_BATCH returned: %d", ARGV0, status); #endif #ifdef DEBUG verbose("%s: Starting daemon ..", ARGV0); #endif /* Some time to settle */ memset(curr_hour, '\0', 12); sleep(syscheck.tsleep * 10); /* If the scan time/day is set, reset the * syscheck.time/rootcheck.time */ if (syscheck.scan_time || syscheck.scan_day) { /* At least once a week */ syscheck.time = 604800; rootcheck.time = 604800; } /* Will create the db to store syscheck data */ if (syscheck.scan_on_start) { sleep(syscheck.tsleep * 15); send_sk_db(); } else { prev_time_rk = time(0); } /* Before entering in daemon mode itself */ prev_time_sk = time(0); sleep(syscheck.tsleep * 10); /* If the scan_time or scan_day is set, we need to handle the * current day/time on the loop. */ if (syscheck.scan_time || syscheck.scan_day) { curr_time = time(0); p = localtime(&curr_time); /* Assign hour/min/sec values */ snprintf(curr_hour, 9, "%02d:%02d:%02d", p->tm_hour, p->tm_min, p->tm_sec); curr_day = p->tm_mday; if (syscheck.scan_time && syscheck.scan_day) { if ((OS_IsAfterTime(curr_hour, syscheck.scan_time)) && (OS_IsonDay(p->tm_wday, syscheck.scan_day))) { day_scanned = 1; } } else if (syscheck.scan_time) { if (OS_IsAfterTime(curr_hour, syscheck.scan_time)) { day_scanned = 1; } } else if (syscheck.scan_day) { if (OS_IsonDay(p->tm_wday, syscheck.scan_day)) { day_scanned = 1; } } } /* Check every SYSCHECK_WAIT */ while (1) { int run_now = 0; curr_time = time(0); /* Check if syscheck should be restarted */ run_now = os_check_restart_syscheck(); /* Check if a day_time or scan_time is set */ if (syscheck.scan_time || syscheck.scan_day) { p = localtime(&curr_time); /* Day changed */ if (curr_day != p->tm_mday) { day_scanned = 0; curr_day = p->tm_mday; } /* Check for the time of the scan */ if (!day_scanned && syscheck.scan_time && syscheck.scan_day) { /* Assign hour/min/sec values */ snprintf(curr_hour, 9, "%02d:%02d:%02d", p->tm_hour, p->tm_min, p->tm_sec); if ((OS_IsAfterTime(curr_hour, syscheck.scan_time)) && (OS_IsonDay(p->tm_wday, syscheck.scan_day))) { day_scanned = 1; run_now = 1; } } else if (!day_scanned && syscheck.scan_time) { /* Assign hour/min/sec values */ snprintf(curr_hour, 9, "%02d:%02d:%02d", p->tm_hour, p->tm_min, p->tm_sec); if (OS_IsAfterTime(curr_hour, syscheck.scan_time)) { run_now = 1; day_scanned = 1; } } else if (!day_scanned && syscheck.scan_day) { /* Check for the day of the scan */ if (OS_IsonDay(p->tm_wday, syscheck.scan_day)) { run_now = 1; day_scanned = 1; } } } /* If time elapsed is higher than the rootcheck_time, run it */ if (syscheck.rootcheck) { if (((curr_time - prev_time_rk) > rootcheck.time) || run_now) { run_rk_check(); prev_time_rk = time(0); } } /* If time elapsed is higher than the syscheck time, run syscheck time */ if (((curr_time - prev_time_sk) > syscheck.time) || run_now) { if (syscheck.scan_on_start == 0) { /* Need to create the db if scan on start is not set */ sleep(syscheck.tsleep * 10); send_sk_db(); sleep(syscheck.tsleep * 10); syscheck.scan_on_start = 1; } else { /* Send scan start message */ if (syscheck.dir[0]) { merror("%s: INFO: Starting syscheck scan.", ARGV0); send_rootcheck_msg("Starting syscheck scan."); } #ifdef WIN32 /* Check for registry changes on Windows */ os_winreg_check(); #endif /* Check for changes */ run_dbcheck(); } /* Send scan ending message */ sleep(syscheck.tsleep + 20); if (syscheck.dir[0]) { merror("%s: INFO: Ending syscheck scan.", ARGV0); send_rootcheck_msg("Ending syscheck scan."); } /* Send database completed message */ send_syscheck_msg(HC_SK_DB_COMPLETED); debug2("%s: DEBUG: Sending database completed message.", ARGV0); prev_time_sk = time(0); } #ifdef INOTIFY_ENABLED if (syscheck.realtime && (syscheck.realtime->fd >= 0)) { selecttime.tv_sec = SYSCHECK_WAIT; selecttime.tv_usec = 0; /* zero-out the fd_set */ FD_ZERO (&rfds); FD_SET(syscheck.realtime->fd, &rfds); run_now = select(syscheck.realtime->fd + 1, &rfds, NULL, NULL, &selecttime); if (run_now < 0) { merror("%s: ERROR: Select failed (for realtime fim).", ARGV0); sleep(SYSCHECK_WAIT); } else if (run_now == 0) { /* Timeout */ } else if (FD_ISSET (syscheck.realtime->fd, &rfds)) { realtime_process(); } } else { sleep(SYSCHECK_WAIT); } #elif defined(WIN32) if (syscheck.realtime && (syscheck.realtime->fd >= 0)) { run_now = WaitForSingleObjectEx(syscheck.realtime->evt, SYSCHECK_WAIT * 1000, TRUE); if (run_now == WAIT_FAILED) { merror("%s: ERROR: WaitForSingleObjectEx failed (for realtime fim).", ARGV0); sleep(SYSCHECK_WAIT); } else { sleep(1); } } else { sleep(SYSCHECK_WAIT); } #else sleep(SYSCHECK_WAIT); #endif } }