[Aide-commits] aide branch, master, updated. v0.16a2-44-g6ce615f
Brought to you by:
hvhaugwitz,
rvdb
From: Hannes v. H. <hvh...@us...> - 2016-04-06 21:46:08
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "aide". The branch, master has been updated via 6ce615f2c1ccb63ccc8bc2e328b3b58a04f338f5 (commit) from 0bafb5f93445b0a9895248ba6759b241773a01b2 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 6ce615f2c1ccb63ccc8bc2e328b3b58a04f338f5 Author: Hannes von Haugwitz <ha...@vo...> Date: Wed Apr 6 23:42:02 2016 +0200 Support restricted selection lines diff --git a/ChangeLog b/ChangeLog index 1e36fcf..39adf66 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +2016-04-06 Hannes von Haugwitz <ha...@vo...> + * Support restricted selection lines + 2016-04-02 Hannes von Haugwitz <ha...@vo...> * Adjust file type letters diff --git a/NEWS b/NEWS index ae9e778..a3059bb 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,7 @@ Version 0.16 (NOT_YET_RELEASED) * Enabled summarize_changes by default * Switch to PCRE library * Fix '.*'-rule matching + * Support restricted selection lines * Add new '--limit' parameter * Sort entries of database file * Compare database entries just once diff --git a/doc/aide.conf.5.in b/doc/aide.conf.5.in index e1945a0..fc12c1f 100644 --- a/doc/aide.conf.5.in +++ b/doc/aide.conf.5.in @@ -225,6 +225,90 @@ More in-depth discussion of the selection algorithm can be found in the aide manual. .IP .PP +.SH "RESTRICTED SELECTION LINES" +.PP +Restricted selection lines are like normal selection lines but can be +restricted to file types. The following file types are supported: + +.RS + +\fBf\fP: restrict rule to regular files + +\fBd\fP: restrict rule to directories + +\fBl\fP: restrict rule to symbolic links + +\fBc\fP: restrict rule to character devices + +\fBb\fP: restrict rule to block devices + +\fBp\fP: restrict rule to FIFO files + +\fBs\fP: restrict rule to unix sockets + +\fBD\fP: restrict rule to Solaris doors + +\fBP\fP: restrict rule to Solaris event ports +.RE + +The file types are separated by comma. The syntax of restricted +selection lines is as follows: + +Restricted regular selection line: +.RS 3 +.nf +.B /<regex> <file types> <group> +.fi +.RE + +Restricted negative selection line: +.RS 3 +.nf +.B !<regex> <file types> +.fi +.RE + +Restricted equals selection line: +.RS 3 +.nf +.B =<regex> <file types> <group> +.fi +.RE + +.B Examples +.RS 3 +Only add directories and files to the database: + +.RS 3 +.nf +.B / d,f R +.fi +.RE +.RE + +.RS 3 +Add all but directory entries to the database: + +.RS 3 +.nf +.B !/run d +.B /run R +.fi +.RE +.RE + +.RS 3 +Use specific rule for directories: + +.RS 3 +.nf +.B /run d R-m-c-i +.B /run R +.fi +.RE +.RE + +.PP .SH "MACRO LINES" .PP .IP "@@define \fBVAR\fR \fBval\fR" diff --git a/include/commandconf.h b/include/commandconf.h index 64cf22c..956233a 100644 --- a/include/commandconf.h +++ b/include/commandconf.h @@ -1,6 +1,6 @@ /* aide, Advanced Intrusion Detection Environment * - * Copyright (C) 1999-2002,2006,2011,2015 Rami Lehti, Pablo Virolainen, + * Copyright (C) 1999-2002,2006,2011,2015,2016 Rami Lehti, Pablo Virolainen, * Richard van den Berg, Hannes von Haugwitz * $Header$ * @@ -22,6 +22,7 @@ #ifndef _COMMANDCONF_H_INCLUDED #define _COMMANDCONF_H_INCLUDED #include "list.h" +#include "gen_list.h" #include "db_config.h" extern long conf_lineno; @@ -32,7 +33,7 @@ int commandconf(const char mode,const char* line); int conf_input_wrapper(char* buf, int max_size, FILE* in); int db_input_wrapper(char* buf, int max_size, int db); -list* append_rxlist(char*,DB_ATTR_TYPE,list*); +list* append_rxlist(char*,DB_ATTR_TYPE,list*, RESTRICTION_TYPE); void do_define(char*,char*); @@ -44,6 +45,8 @@ int do_ifxhost(int,char*); void do_groupdef(char*,DB_ATTR_TYPE); +RESTRICTION_TYPE get_restrictionval(char*); + DB_ATTR_TYPE get_groupval(char*); void putbackvariable(char*); diff --git a/include/gen_list.h b/include/gen_list.h index ed2b7b8..c4d9c10 100644 --- a/include/gen_list.h +++ b/include/gen_list.h @@ -25,6 +25,18 @@ #include "seltree.h" #include "list.h" +#define RESTRICTION_TYPE unsigned int +#define RESTRICTION_FT_REG (1U<<0) /* file */ +#define RESTRICTION_FT_DIR (1U<<1) /* dir */ +#define RESTRICTION_FT_FIFO (1U<<2) /* fifo */ +#define RESTRICTION_FT_LNK (1U<<3) /* link */ +#define RESTRICTION_FT_BLK (1U<<4) /* block device */ +#define RESTRICTION_FT_CHR (1U<<5) /* char device */ +#define RESTRICTION_FT_SOCK (1U<<6) /* socket */ +#define RESTRICTION_FT_DOOR (1U<<7) /* door */ +#define RESTRICTION_FT_PORT (1U<<8) /* port */ +#define RESTRICTION_NULL 0U + /* DB_FOO are anded together to form rx_rule's attr */ typedef struct rx_rule { @@ -32,6 +44,7 @@ typedef struct rx_rule { pcre* crx; /* Compiled regexp */ DB_ATTR_TYPE attr; /* Which attributes to save */ long conf_lineno; /* line no. of rule definition*/ + RESTRICTION_TYPE restriction; } rx_rule; int compare_node_by_path(const void *n1, const void *n2); diff --git a/src/commandconf.c b/src/commandconf.c index 54d5118..c570588 100644 --- a/src/commandconf.c +++ b/src/commandconf.c @@ -714,7 +714,7 @@ int do_ifxhost(int mode,char* name) return (handle_endif(doit,1)); } -list* append_rxlist(char* rx,DB_ATTR_TYPE attr,list* rxlst) +list* append_rxlist(char* rx,DB_ATTR_TYPE attr,list* rxlst, RESTRICTION_TYPE restriction) { extern long conf_lineno; /* defined & set in conf_lex.l */ @@ -723,6 +723,7 @@ list* append_rxlist(char* rx,DB_ATTR_TYPE attr,list* rxlst) r->rx=rx; r->attr=attr; r->conf_lineno = conf_lineno; + r->restriction = restriction; if (attr&DB_CHECKINODE && attr&DB_CTIME) error(20,"Rule at line %li has c and I flags enabled at the same time. If same inode is found, flag c is ignored\n",conf_lineno); update_db_out_order(r->attr); @@ -748,6 +749,19 @@ void do_groupdef(char* group,DB_ATTR_TYPE value) conf->groupsyms=list_append(conf->groupsyms,(void*)s); } +RESTRICTION_TYPE get_restrictionval(char* ch) { + if (strcmp(ch, "f") == 0) { return RESTRICTION_FT_REG; } + else if (strcmp(ch, "d") == 0) { return RESTRICTION_FT_DIR; } + else if (strcmp(ch, "p") == 0) { return RESTRICTION_FT_FIFO; } + else if (strcmp(ch, "l") == 0) { return RESTRICTION_FT_LNK; } + else if (strcmp(ch, "b") == 0) { return RESTRICTION_FT_BLK; } + else if (strcmp(ch, "c") == 0) { return RESTRICTION_FT_CHR; } + else if (strcmp(ch, "s") == 0) { return RESTRICTION_FT_SOCK; } + else if (strcmp(ch, "D") == 0) { return RESTRICTION_FT_DOOR; } + else if (strcmp(ch, "P") == 0) { return RESTRICTION_FT_PORT; } + else { return RESTRICTION_NULL; } +} + DB_ATTR_TYPE get_groupval(char* group) { list* r=NULL; diff --git a/src/conf_lex.l b/src/conf_lex.l index 4f828e0..b08d7a7 100644 --- a/src/conf_lex.l +++ b/src/conf_lex.l @@ -35,6 +35,7 @@ EX [" "\t]* #include "aide.h" #include <string.h> +#include "gen_list.h" #include "conf_yacc.h" #include "list.h" #include "symboltable.h" @@ -120,6 +121,9 @@ int var_in_conflval=0; return('='); } +<EXPR>, { + return (','); +} <EXPR>[\ \t]*({L}|{D}|">")+ { conflval.s=strdup(conftext+firstnotempty(conftext)); diff --git a/src/conf_yacc.y b/src/conf_yacc.y index d2205a4..99d0433 100644 --- a/src/conf_yacc.y +++ b/src/conf_yacc.y @@ -45,6 +45,7 @@ extern long conf_lineno; %union { char* s; DB_ATTR_TYPE i; + RESTRICTION_TYPE r; } @@ -144,6 +145,7 @@ extern long conf_lineno; %token TERROR %token TEOF +%type <r> restriction %type <i> expr %type <i> hash %type <i> primary other @@ -182,15 +184,22 @@ line : rule | equrule | negrule | definestmt | undefstmt } ; rule : TSELRXRULE expr newlineoreof -{ decode_string($1); conf->selrxlst=append_rxlist($1,$2,conf->selrxlst); } ; +{ decode_string($1); conf->selrxlst=append_rxlist($1,$2,conf->selrxlst, RESTRICTION_NULL); } ; equrule : TEQURXRULE expr newlineoreof -{ decode_string($1); conf->equrxlst=append_rxlist($1,$2,conf->equrxlst); } ; +{ decode_string($1); conf->equrxlst=append_rxlist($1,$2,conf->equrxlst, RESTRICTION_NULL); } ; negrule : TNEGRXRULE newlineoreof -{ decode_string($1); conf->negrxlst=append_rxlist($1,0,conf->negrxlst); } | - TNEGRXRULE expr newlineoreof -{ decode_string($1); conf->negrxlst=append_rxlist($1,0,conf->negrxlst); }; +{ decode_string($1); conf->negrxlst=append_rxlist($1,0,conf->negrxlst, RESTRICTION_NULL); }; + +rule : TSELRXRULE restriction expr newlineoreof +{ decode_string($1); conf->selrxlst=append_rxlist($1,$3,conf->selrxlst, $2); } ; + +equrule : TEQURXRULE restriction expr newlineoreof +{ decode_string($1); conf->equrxlst=append_rxlist($1,$3,conf->equrxlst, $2); } ; + +negrule : TNEGRXRULE restriction newlineoreof +{ decode_string($1); conf->negrxlst=append_rxlist($1,0,conf->negrxlst, $2); }; newlineoreof : TNEWLINE | TEOF { @@ -198,6 +207,17 @@ newlineoreof : TNEWLINE | YYACCEPT; } ; +restriction : restriction ',' restriction { $$ =$1 | $3 ; } + | TSTRING { + if((retval=get_restrictionval($1)) != RESTRICTION_NULL) { + $$=retval; + } else { + conf_lineno++; + conferror("Error in restriction"); + YYABORT; + } + }; + expr : expr '+' expr { $$ =$1 | $3 ; } | expr '-' expr { $$ =$1 & (~$3 ); } | primary { $$ =$1 ;} ; diff --git a/src/db_file.c b/src/db_file.c index cff7b0c..e4adef1 100644 --- a/src/db_file.c +++ b/src/db_file.c @@ -32,6 +32,7 @@ #include "types.h" #include "base64.h" #include "db_file.h" +#include "gen_list.h" #include "conf_yacc.h" #include "util.h" #include "db_sql.h" /* typedefs */ diff --git a/src/db_lex.l b/src/db_lex.l index ef1f107..5c15db1 100644 --- a/src/db_lex.l +++ b/src/db_lex.l @@ -22,7 +22,7 @@ extern YYSTYPE yylval; /* aide, Advanced Intrusion Detection Environment * - * Copyright (C) 1999-2002,2005,2010,2013 Rami Lehti,Pablo Virolainen, + * Copyright (C) 1999-2002,2005,2010,2013,2016 Rami Lehti,Pablo Virolainen, * Richard van den Berg, Hannes von Haugwitz * $Header$ * @@ -48,6 +48,7 @@ extern YYSTYPE yylval; #define YYDEBUG 1 #include "aide.h" +#include "gen_list.h" #include "conf_yacc.h" #include <string.h> #include "report.h" diff --git a/src/gen_list.c b/src/gen_list.c index c18ef4d..20edb36 100644 --- a/src/gen_list.c +++ b/src/gen_list.c @@ -523,6 +523,7 @@ void gen_seltree(list* rxlist,seltree* tree,char type) rxc->crx=rxtmp; rxc->attr=curr_rule->attr; rxc->conf_lineno=curr_rule->conf_lineno; + rxc->restriction=curr_rule->restriction; switch (type){ case 's':{ @@ -546,7 +547,30 @@ void gen_seltree(list* rxlist,seltree* tree,char type) } } -static int check_list_for_match(list* rxrlist,char* text,DB_ATTR_TYPE* attr) +static RESTRICTION_TYPE get_file_type(mode_t mode) { + switch (mode & S_IFMT) { + case S_IFREG: return RESTRICTION_FT_REG; + case S_IFDIR: return RESTRICTION_FT_DIR; +#ifdef S_IFIFO + case S_IFIFO: return RESTRICTION_FT_FIFO; +#endif + case S_IFLNK: return RESTRICTION_FT_LNK; + case S_IFBLK: return RESTRICTION_FT_BLK; + case S_IFCHR: return RESTRICTION_FT_CHR; +#ifdef S_IFSOCK + case S_IFSOCK: return RESTRICTION_FT_SOCK; +#endif +#ifdef S_IFDOOR + case S_IFDOOR: return RESTRICTION_FT_DOOR; +#endif +#ifdef S_IFDOOR + case S_IFPORT: return RESTRICTION_FT_PORT; +#endif + default: return RESTRICTION_NULL; + } +} + +static int check_list_for_match(list* rxrlist,char* text,DB_ATTR_TYPE* attr, RESTRICTION_TYPE file_type) { list* r=NULL; int retval=1; @@ -555,9 +579,15 @@ static int check_list_for_match(list* rxrlist,char* text,DB_ATTR_TYPE* attr) for(r=rxrlist;r;r=r->next){ pcre_retval=pcre_exec((pcre*)((rx_rule*)r->data)->crx, pcre_extra, text, strlen(text), 0, PCRE_PARTIAL_SOFT, NULL, 0); if (pcre_retval >= 0) { - *attr=((rx_rule*)r->data)->attr; - error(231,"\"%s\" matches (pcre_exec return value: %i) rule from line #%ld: %s\n",text, pcre_retval, ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); - return 0; + error(231,"\"%s\" matches (pcre_exec return value: %i) rule from line #%ld: %s\n",text, pcre_retval, ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); + if (!((rx_rule*)r->data)->restriction || file_type&((rx_rule*)r->data)->restriction) { + *attr=((rx_rule*)r->data)->attr; + error(231,"\"%s\" matches restriction (%u) for rule from line #%ld: %s\n",text, ((rx_rule*)r->data)->restriction, ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); + return 0; + } else { + error(232,"\"%s\" doesn't match restriction (%u) for rule from line #%ld: %s\n",text, ((rx_rule*)r->data)->restriction, ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); + retval=-1; + } } else if (pcre_retval == PCRE_ERROR_PARTIAL) { error(232,"\"%s\" PARTIAL matches (pcre_exec return value: %i) rule from line #%ld: %s\n",text, pcre_retval, ((rx_rule*)r->data)->conf_lineno,((rx_rule*)r->data)->rx); retval=-1; @@ -587,18 +617,21 @@ static int check_list_for_match(list* rxrlist,char* text,DB_ATTR_TYPE* attr) static int check_node_for_match(seltree*node,char*text, mode_t perm, int retval,DB_ATTR_TYPE* attr) { int top=0; + RESTRICTION_TYPE file_type; if(node==NULL){ return retval; } + file_type = get_file_type(perm); + /* if this call is not recursive we check the equals list and we set top * * and retval so we know following calls are recursive */ if(!(retval&16)){ top=1; retval|=16; - switch (check_list_for_match(node->equ_rx_lst,text,attr)) { + switch (check_list_for_match(node->equ_rx_lst, text, attr, file_type)) { case 0: { error(220, "check_node_for_match: equal match for '%s'\n", text); retval|=2|4; @@ -617,7 +650,7 @@ static int check_node_for_match(seltree*node,char*text, mode_t perm, int retval, /* If 4 and 8 are not set, we will check for matches */ if(!(retval&(4|8))){ - switch (check_list_for_match(node->sel_rx_lst,text,attr)) { + switch (check_list_for_match(node->sel_rx_lst, text, attr, file_type)) { case 0: { error(220, "check_node_for_match: selective match for '%s'\n", text); retval|=1|8; @@ -638,7 +671,7 @@ static int check_node_for_match(seltree*node,char*text, mode_t perm, int retval, /* Negative regexps are the strongest so they are checked last */ /* If this file is to be added */ if(retval){ - if(!check_list_for_match(node->neg_rx_lst,text,attr)){ + if(!check_list_for_match(node->neg_rx_lst, text, attr, file_type)){ error(220, "check_node_for_match: negative match for '%s'\n", text); retval=0; } ----------------------------------------------------------------------- Summary of changes: ChangeLog | 3 ++ NEWS | 1 + doc/aide.conf.5.in | 84 +++++++++++++++++++++++++++++++++++++++++++++++++ include/commandconf.h | 7 +++- include/gen_list.h | 13 +++++++ src/commandconf.c | 16 +++++++++- src/conf_lex.l | 4 ++ src/conf_yacc.y | 30 ++++++++++++++--- src/db_file.c | 1 + src/db_lex.l | 3 +- src/gen_list.c | 47 +++++++++++++++++++++++---- 11 files changed, 193 insertions(+), 16 deletions(-) hooks/post-receive -- aide |