Hi Stephan,
welcome to the OSSEC mailing list :)
thanks for your contribution....patches are usually submitted through pull
requests on github. Do you have a github account?
check out https://github.com/ossec/ossec-hids and try to see if you can
submit your patch there! :)
best,
theresa
Am Donnerstag, 21. Januar 2016 14:50:26 UTC+1 schrieb Stephan Leemburg:
>
> Hi All,
>
> I just subscribed to the list, so forgive me any ignorance about how
> things
> are organized at this list.
>
> The reason I subscribes is to submit a patch. I am currently configuring
> and
> tuning OSSEC for use at Airbus Defense and Space and while testing, I
> noticed:
>
> PRE:
> $ ls -l /etc/shadow
> -rw-r----- 1 root shadow 1391 Dec 16 16:14 /etc/shadow
>
> POST:
> $ sudo chmod 660 /etc/shadow; ls -l /etc/shadow
> -rw-rw---- 1 root shadow 1391 Dec 16 16:14 /etc/shadow
>
> YIELDS:
>
> OSSEC HIDS Notification.
> 2016 Jan 21 11:10:28
>
> Received From: (ssh_integrity_check_linux) root@vader->syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
>
> Integrity checksum changed for: '/etc/shadow'
> Permissions changed from '-w------t' to '-w--w-r-t'
>
> in the database the permissions are:
>
> #++1391:640:0:42:fa8049e0aeeb2311d43ab92ec8b1ad62:4e1895b70357ffda6f79b433bcc6c7fdb0aba368
>
> !1453371028 /etc/shadow
> !!+1391:620:0:42:fa8049e0aeeb2311d43ab92ec8b1ad62:4e1895b70357ffda6f79b433bcc6c7fdb0aba368
>
> !1453374639 /etc/shadow
>
> 640 interpreted as octal yields 1200 which is -w-------t
> 660 interpreted as octal yields 1224 which is -w--w--r-t
>
> The source (analysisd/decoders/syscheck.c) reads (line 517:522):
>
> /* Getting integer values */
> if(c_newperm && c_oldperm)
> {
> newperm = atoi(c_newperm);
> oldperm = atoi(c_oldperm);
> }
>
> which should be:
>
> /* Getting octal values */
> if(c_newperm && c_oldperm)
> {
> newperm = strtoul(c_newperm, 0, 8);
> oldperm = strtoul(c_oldperm, 0, 8);
> }
>
> After patching and building, I now get (checksum changed because ossec was
> added to my workstation):
>
> OSSEC HIDS Notification.
> 2016 Jan 21 14:16:12
>
> Received From: (ssh_integrity_check_linux) root@vader->syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
>
> Integrity checksum changed for: '/etc/shadow'
> Size changed from '1391' to '1474'
> Permissions changed from 'rw-rw----' to 'rw-rw-r--'
> Old md5sum was: 'fa8049e0aeeb2311d43ab92ec8b1ad62'
> New md5sum is : 'dda758ee0f33df721288104f6992d018'
> Old sha1sum was: '4e1895b70357ffda6f79b433bcc6c7fdb0aba368'
> New sha1sum is : '2d1779d001693420dc4e1c686232a9fd063d4c33'
>
> I have attached a patch-file for it.
>
> --
> With kind regards,
> Met vriendelijke groet,
> Stephan Leemburg
> IT Functions
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
