Hi All,
I just subscribed to the list, so forgive me any ignorance about how things
are organized at this list.
The reason I subscribes is to submit a patch. I am currently configuring and
tuning OSSEC for use at Airbus Defense and Space and while testing, I noticed:
PRE:
$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1391 Dec 16 16:14 /etc/shadow
POST:
$ sudo chmod 660 /etc/shadow; ls -l /etc/shadow
-rw-rw---- 1 root shadow 1391 Dec 16 16:14 /etc/shadow
YIELDS:
OSSEC HIDS Notification.
2016 Jan 21 11:10:28
Received From: (ssh_integrity_check_linux) root@vader->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/shadow'
Permissions changed from '-w------t' to '-w--w-r-t'
in the database the permissions are:
#++1391:640:0:42:fa8049e0aeeb2311d43ab92ec8b1ad62:4e1895b70357ffda6f79b433bcc6c7fdb0aba368
!1453371028 /etc/shadow
!!+1391:620:0:42:fa8049e0aeeb2311d43ab92ec8b1ad62:4e1895b70357ffda6f79b433bcc6c7fdb0aba368
!1453374639 /etc/shadow
640 interpreted as octal yields 1200 which is -w-------t
660 interpreted as octal yields 1224 which is -w--w--r-t
The source (analysisd/decoders/syscheck.c) reads (line 517:522):
/* Getting integer values */
if(c_newperm && c_oldperm)
{
newperm = atoi(c_newperm);
oldperm = atoi(c_oldperm);
}
which should be:
/* Getting octal values */
if(c_newperm && c_oldperm)
{
newperm = strtoul(c_newperm, 0, 8);
oldperm = strtoul(c_oldperm, 0, 8);
}
After patching and building, I now get (checksum changed because ossec was
added to my workstation):
OSSEC HIDS Notification.
2016 Jan 21 14:16:12
Received From: (ssh_integrity_check_linux) root@vader->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/shadow'
Size changed from '1391' to '1474'
Permissions changed from 'rw-rw----' to 'rw-rw-r--'
Old md5sum was: 'fa8049e0aeeb2311d43ab92ec8b1ad62'
New md5sum is : 'dda758ee0f33df721288104f6992d018'
Old sha1sum was: '4e1895b70357ffda6f79b433bcc6c7fdb0aba368'
New sha1sum is : '2d1779d001693420dc4e1c686232a9fd063d4c33'
I have attached a patch-file for it.
--
With kind regards,
Met vriendelijke groet,
Stephan Leemburg
IT Functions
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
--- ossec-hids-2.8.3.org/src/analysisd/decoders/syscheck.c 2015-10-12 23:21:06.000000000 +0200
+++ ossec-hids-2.8.3/src/analysisd/decoders/syscheck.c 2016-01-21 14:10:38.679394133 +0100
@@ -514,11 +514,11 @@
}
}
- /* Getting integer values */
+ /* Getting octal values */
if(c_newperm && c_oldperm)
{
- newperm = atoi(c_newperm);
- oldperm = atoi(c_oldperm);
+ newperm = strtoul(c_newperm, 0, 8);
+ oldperm = strtoul(c_oldperm, 0, 8);
}
/* Generating size message */
