V2.9.4 - More backporting

active-response/ossec-slack.sh

@@ -24,22 +24,22 @@ ALERTLAST=`echo "$ALERTID" | cut -d  "." -f 2`
 cd $LOCAL
 cd ../
 PWD=`pwd`
-echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
-ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
+echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../../logs/active-responses.log
+ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../../logs/alerts/alerts.log | grep -v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
 
 PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "text": "'"${ALERTFULL}"'"}'
 
 ls "`which curl`" > /dev/null 2>&1
 if [ ! $? = 0 ]; then
     ls "`which wget`" > /dev/null 2>&1
     if [ $? = 0 ]; then
-        wget --keep-session-cookies --post-data="${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log
+        wget --keep-session-cookies --post-data="${PAYLOAD}" ${SITE} 2>>${PWD}/../../logs/active-responses.log
         exit 0;
     fi
 else
-    curl -X POST --data-urlencode "payload=${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log
+    curl -X POST --data-urlencode "payload=${PAYLOAD}" ${SITE} 2>>${PWD}/../../logs/active-responses.log
     exit 0;
 fi
 
-echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log
+echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../../logs/active-responses.log
 exit 1;

src/client-agent/receiver-win.c

@@ -151,7 +151,7 @@ void *receiver_thread(__attribute__((unused)) void *none)
                              SHAREDCFG_DIR,
                              tmp_msg);
 
-                    fp = fopen(file, "w");
+                    fp = fopen(file, "wb");
                     if (!fp) {
                         merror(FOPEN_ERROR, ARGV0, file, errno, strerror(errno));
                     }

src/os_net/os_net.c

@@ -68,6 +68,11 @@ int OS_Bindport(char *_port, unsigned int _proto, const char *_ip)
     }
 
     s = getaddrinfo(_ip, _port, &hints, &result);
+    /* Try to support legacy ipv4 only hosts */
+    if((s == EAI_FAMILY) || (s == EAI_NONAME)) {
+        hints.ai_family = AF_INET;
+        s = getaddrinfo(_ip, _port, &hints, &result);
+    }
     if (s != 0) {
         verbose("getaddrinfo: %s", gai_strerror(s));
         return(OS_INVALID);

src/syscheckd/create_db.c

@@ -12,6 +12,10 @@
 #include "os_crypto/md5/md5_op.h"
 #include "os_crypto/sha1/sha1_op.h"
 #include "os_crypto/md5_sha1/md5_sha1_op.h"
+#ifdef WIN32
+#include <aclapi.h>
+#include <sddl.h>
+#endif
 
 /* Prototypes */
 static int read_file(const char *dir_name, int opts, OSMatch *restriction)  __attribute__((nonnull(1)));
@@ -152,15 +156,15 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction)
             char alert_msg[916 + 1];    /* to accommodate a long */
             alert_msg[916] = '\0';
 
-            #ifndef WIN32
+#ifndef WIN32
             if (opts & CHECK_SEECHANGES) {
                 char *alertdump = seechanges_addfile(file_name);
                 if (alertdump) {
                     free(alertdump);
                     alertdump = NULL;
                 }
             }
-            #endif
+#endif
 
             snprintf(alert_msg, 916, "%c%c%c%c%c%c%ld:%d:%d:%d:%s:%s",
                      opts & CHECK_SIZE ? '+' : '-',
@@ -183,6 +187,7 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction)
             /* Send the new checksum to the analysis server */
             alert_msg[916] = '\0';
 
+#ifndef WIN32
             snprintf(alert_msg, 916, "%ld:%d:%d:%d:%s:%s %s",
                      opts & CHECK_SIZE ? (long)statbuf.st_size : 0,
                      opts & CHECK_PERM ? (int)statbuf.st_mode : 0,
@@ -191,6 +196,51 @@ static int read_file(const char *file_name, int opts, OSMatch *restriction)
                      opts & CHECK_MD5SUM ? mf_sum : "xxx",
                      opts & CHECK_SHA1SUM ? sf_sum : "xxx",
                      file_name);
+#else	//WIN32
+            HANDLE hFile = CreateFile(file_name, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+            if (hFile == INVALID_HANDLE_VALUE) {
+                DWORD dwErrorCode = GetLastError();
+                char alert_msg[PATH_MAX+4];
+                alert_msg[PATH_MAX + 3] = '\0';
+                snprintf(alert_msg, PATH_MAX + 4, "CreateFile=%ld %s", dwErrorCode, file_name);
+                send_syscheck_msg(alert_msg);
+                return -1;
+            }
+
+            PSID pSidOwner = NULL;
+            PSECURITY_DESCRIPTOR pSD = NULL;
+            DWORD dwRtnCode = GetSecurityInfo(hFile, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION, &pSidOwner, NULL, NULL, NULL, &pSD);
+            if (dwRtnCode != ERROR_SUCCESS) {
+                DWORD dwErrorCode = GetLastError();
+                CloseHandle(hFile);
+                char alert_msg[PATH_MAX+4];
+                alert_msg[PATH_MAX + 3] = '\0';
+                snprintf(alert_msg, PATH_MAX + 4, "GetSecurityInfo=%ld %s", dwErrorCode, file_name);
+                send_syscheck_msg(alert_msg);
+                return -1;
+            }
+
+            LPSTR szSID = NULL;
+            ConvertSidToStringSid(pSidOwner, &szSID);
+            char* st_uid = NULL;
+            if(szSID) {
+              st_uid = (char *) calloc(strlen(szSID) + 1, 1);
+              memcpy(st_uid, szSID, strlen(szSID));
+            }
+            LocalFree(szSID);
+            CloseHandle(hFile);
+
+            snprintf(alert_msg, 916, "%ld:%d:%s:%d:%s:%s %s",
+                     opts & CHECK_SIZE ? (long)statbuf.st_size : 0,
+                     opts & CHECK_PERM ? (int)statbuf.st_mode : 0,
+                     (opts & CHECK_OWNER) ? st_uid : "0",
+                     opts & CHECK_GROUP ? (int)statbuf.st_gid : 0,
+                     opts & CHECK_MD5SUM ? mf_sum : "xxx",
+                     opts & CHECK_SHA1SUM ? sf_sum : "xxx",
+                     file_name);
+            free(st_uid);
+#endif
+
             send_syscheck_msg(alert_msg);
         } else {
             char alert_msg[OS_MAXSTR + 1];

src/syscheckd/run_check.c

@@ -12,6 +12,10 @@
 #define _GNU_SOURCE
 #include <sched.h>
 #endif
+#ifdef WIN32
+#include <aclapi.h>
+#include <sddl.h>
+#endif
 
 #include "shared.h"
 #include "syscheck.h"
@@ -398,13 +402,58 @@ int c_read_file(const char *file_name, const char *oldsum, char *newsum)
 
     newsum[0] = '\0';
     newsum[255] = '\0';
+#ifndef WIN32
     snprintf(newsum, 255, "%ld:%d:%d:%d:%s:%s",
              size == 0 ? 0 : (long)statbuf.st_size,
              perm == 0 ? 0 : (int)statbuf.st_mode,
              owner == 0 ? 0 : (int)statbuf.st_uid,
              group == 0 ? 0 : (int)statbuf.st_gid,
              md5sum   == 0 ? "xxx" : mf_sum,
              sha1sum  == 0 ? "xxx" : sf_sum);
+#else
+    HANDLE hFile = CreateFile(file_name, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == INVALID_HANDLE_VALUE) {
+        DWORD dwErrorCode = GetLastError();
+        char alert_msg[PATH_MAX+4];
+        alert_msg[PATH_MAX + 3] = '\0';
+        snprintf(alert_msg, PATH_MAX + 4, "CreateFile=%ld %s", dwErrorCode, file_name);
+        send_syscheck_msg(alert_msg);
+        return -1;
+    }
+
+    PSID pSidOwner = NULL;
+    PSECURITY_DESCRIPTOR pSD = NULL;
+    DWORD dwRtnCode = GetSecurityInfo(hFile, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION, &pSidOwner, NULL, NULL, NULL, &pSD);
+    if (dwRtnCode != ERROR_SUCCESS) {
+        DWORD dwErrorCode = GetLastError();
+        CloseHandle(hFile);
+        char alert_msg[PATH_MAX+4];
+        alert_msg[PATH_MAX + 3] = '\0';
+        snprintf(alert_msg, PATH_MAX + 4, "GetSecurityInfo=%ld %s", dwErrorCode, file_name);
+        send_syscheck_msg(alert_msg);
+        return -1;
+    }
+
+    LPSTR szSID = NULL;
+    ConvertSidToStringSid(pSidOwner, &szSID);
+    char* st_uid = NULL;
+    if( szSID ) {
+      st_uid = (char *) calloc( strlen(szSID) + 1, 1 );
+      memcpy( st_uid, szSID, strlen(szSID) );
+    }
+    LocalFree(szSID);
+    CloseHandle(hFile);
+
+    snprintf(newsum, 255, "%ld:%d:%s:%d:%s:%s",
+             size == 0 ? 0 : (long)statbuf.st_size,
+             perm == 0 ? 0 : (int)statbuf.st_mode,
+             owner == 0 ? "0" : st_uid,
+             group == 0 ? 0 : (int)statbuf.st_gid,
+             md5sum   == 0 ? "xxx" : mf_sum,
+             sha1sum  == 0 ? "xxx" : sf_sum);
+
+    free(st_uid);
+#endif
 
     return (0);
 }

src/syscheckd/run_realtime.c

@@ -220,7 +220,7 @@ typedef struct _win32rtfim {
     OVERLAPPED overlap;
 
     char *dir;
-    TCHAR buffer[12288];
+    TCHAR buffer[1228800];
 } win32rtfim;
 
 int realtime_win32read(win32rtfim *rtlocald);
@@ -238,6 +238,11 @@ void CALLBACK RTCallBack(DWORD dwerror, DWORD dwBytes, LPOVERLAPPED overlap)
 
     if (dwBytes == 0) {
         merror("%s: ERROR: real time call back called, but 0 bytes.", ARGV0);
+        rtlocald = OSHash_Get(syscheck.realtime->dirtb, "0");
+        if(rtlocald) {
+            realtime_win32read(rtlocald);
+        }
+
         return;
     }
 
@@ -307,7 +312,7 @@ int realtime_win32read(win32rtfim *rtlocald)
                                rtlocald->buffer,
                                sizeof(rtlocald->buffer) / sizeof(TCHAR),
                                TRUE,
-                               FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_SIZE | FILE_NOTIFY_CHANGE_LAST_WRITE,
+                               FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_SIZE | FILE_NOTIFY_CHANGE_LAST_WRITE | FILE_NOTIFY_CHANGE_SECURITY,
                                0,
                                &rtlocald->overlap,
                                RTCallBack);