From 701a187f3e7b10750d1217dfc4d695f00ead989b Mon Sep 17 00:00:00 2001 From: "Scott R. Shinn" Date: Wed, 8 Feb 2017 17:41:40 -0500 Subject: [PATCH 1/2] Merge from PR #1040 Backport merge or the 2.9 release Signed-off-by: Scott R. Shinn --- src/addagent/main.c | 19 ++++++++++++------ src/addagent/manage_agents.c | 37 +++++++++++++++++++++++++++--------- src/addagent/manage_agents.h | 3 +++ src/addagent/manage_keys.c | 35 +++++++++++++++++++++++++--------- 4 files changed, 70 insertions(+), 24 deletions(-) diff --git a/src/addagent/main.c b/src/addagent/main.c index ad9d61a17..3425b3fb7 100644 --- a/src/addagent/main.c +++ b/src/addagent/main.c @@ -88,6 +88,9 @@ int main(int argc, char **argv) int ret; #endif + extern int willchroot; + willchroot = 1; + /* Set the name */ OS_SetName(ARGV0); @@ -138,6 +141,7 @@ int main(int argc, char **argv) ErrorExit("%s: -f needs an argument.", ARGV0); } cmdbulk = optarg; + willchroot = 0; printf("Bulk load file: %s\n", cmdbulk); break; case 'l': @@ -168,13 +172,16 @@ int main(int argc, char **argv) ErrorExit(SETGID_ERROR, ARGV0, group, errno, strerror(errno)); } - /* Chroot to the default directory */ - if (Privsep_Chroot(dir) < 0) { - ErrorExit(CHROOT_ERROR, ARGV0, dir, errno, strerror(errno)); - } - /* Inside chroot now */ - nowChroot(); + if(willchroot > 0) { + + /* Chroot to the default directory */ + if (Privsep_Chroot(dir) < 0) { + ErrorExit(CHROOT_ERROR, ARGV0, dir, errno, strerror(errno)); + } + + nowChroot(); + } /* Start signal handler */ StartSIG2(ARGV0, manage_shutdown); diff --git a/src/addagent/manage_agents.c b/src/addagent/manage_agents.c index 624844a19..fc6dcb83a 100644 --- a/src/addagent/manage_agents.c +++ b/src/addagent/manage_agents.c @@ -82,17 +82,26 @@ int add_agent() os_ip c_ip; c_ip.ip = NULL; + char authfile[257]; + + if(willchroot > 0) { + snprintf(authfile, 256, "%s", AUTH_FILE); + } else { + const char *dir = DEFAULTDIR; + snprintf(authfile, 256, "%s/%s", dir, AUTH_FILE); + } + /* Check if we can open the auth_file */ - fp = fopen(AUTH_FILE, "a"); + fp = fopen(authfile, "a"); if (!fp) { - ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); + ErrorExit(FOPEN_ERROR, ARGV0, authfile, errno, strerror(errno)); } fclose(fp); #ifndef WIN32 - if (chmod(AUTH_FILE, 0440) == -1) { - ErrorExit(CHMOD_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); + if (chmod(authfile, 0440) == -1) { + ErrorExit(CHMOD_ERROR, ARGV0, authfile, errno, strerror(errno)); } #endif @@ -244,12 +253,12 @@ int add_agent() time3 = time(0); rand2 = random(); - fp = fopen(AUTH_FILE, "a"); + fp = fopen(authfile, "a"); if (!fp) { ErrorExit(FOPEN_ERROR, ARGV0, KEYS_FILE, errno, strerror(errno)); } #ifndef WIN32 - chmod(AUTH_FILE, 0440); + chmod(authfile, 0440); #endif /* Random 1: Time took to write the agent information @@ -295,6 +304,16 @@ int remove_agent() char u_id[FILE_SIZE + 1]; int id_exist; + extern int willchroot; + char authfile[257]; + if(willchroot > 0) { + snprintf(authfile, 256, "%s", AUTH_FILE); + } else { + const char *dir = DEFAULTDIR; + snprintf(authfile, 256, "%s/%s", dir, AUTH_FILE); + } + + u_id[FILE_SIZE] = '\0'; if (!print_agents(0, 0, 0)) { @@ -353,13 +372,13 @@ int remove_agent() return (1); } - fp = fopen(AUTH_FILE, "r+"); + fp = fopen(authfile, "r+"); if (!fp) { free(full_name); - ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); + ErrorExit(FOPEN_ERROR, ARGV0, authfile, errno, strerror(errno)); } #ifndef WIN32 - chmod(AUTH_FILE, 0440); + chmod(authfile, 0440); #endif /* Remove the agent, but keep the id */ diff --git a/src/addagent/manage_agents.h b/src/addagent/manage_agents.h index 317688fa1..5b5366989 100644 --- a/src/addagent/manage_agents.h +++ b/src/addagent/manage_agents.h @@ -139,3 +139,6 @@ extern fpos_t fp_pos; #define GMF_BUFF_ERROR ARGV0 ": Could not get path because it is too long and was shrunk by (%d) characters with a max of (%d).\n" #define GMF_UNKN_ERROR ARGV0 ": Could not run GetModuleFileName which returned (%ld).\n" +/* Do we chroot? */ +int willchroot; + diff --git a/src/addagent/manage_keys.c b/src/addagent/manage_keys.c index 4c918ab29..f0c3d1a39 100644 --- a/src/addagent/manage_keys.c +++ b/src/addagent/manage_keys.c @@ -221,9 +221,18 @@ int k_extract(const char *cmdextract) } /* Try to open the auth file */ - fp = fopen(AUTH_FILE, "r"); + char authfile[257]; + extern int willchroot; + if(willchroot > 0) { + snprintf(authfile, 256, "%s", AUTH_FILE); //XXX + } else { + const char *dir = DEFAULTDIR; + snprintf(authfile, 256, "%s/%s", dir, AUTH_FILE); //XXX + } + + fp = fopen(authfile, "r"); if (!fp) { - ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); + ErrorExit(FOPEN_ERROR, ARGV0, authfile, errno, strerror(errno)); } if (fsetpos(fp, &fp_pos)) { @@ -286,9 +295,17 @@ int k_bulkload(const char *cmdbulk) } /* Check if we can open the auth_file */ - fp = fopen(AUTH_FILE, "a"); + char authfile[257]; + if(willchroot > 0) { + snprintf(authfile, 256, "%s", AUTH_FILE); //XXX + } else { + const char *dir = DEFAULTDIR; + snprintf(authfile, 256, "%s/%s", dir, AUTH_FILE); //XXX + } + + fp = fopen(authfile, "a"); if (!fp) { - ErrorExit(FOPEN_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); + ErrorExit(FOPEN_ERROR, ARGV0, authfile, errno, strerror(errno)); } fclose(fp); @@ -309,8 +326,8 @@ int k_bulkload(const char *cmdbulk) strncpy(name, trimwhitespace(token), FILE_SIZE - 1); #ifndef WIN32 - if (chmod(AUTH_FILE, 0440) == -1) { - ErrorExit(CHMOD_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); + if (chmod(authfile, 0440) == -1) { + ErrorExit(CHMOD_ERROR, ARGV0, authfile, errno, strerror(errno)); } #endif @@ -373,13 +390,13 @@ int k_bulkload(const char *cmdbulk) time3 = time(0); rand2 = random(); - fp = fopen(AUTH_FILE, "a"); + fp = fopen(authfile, "a"); if (!fp) { ErrorExit(FOPEN_ERROR, ARGV0, KEYS_FILE, errno, strerror(errno)); } #ifndef WIN32 - if (chmod(AUTH_FILE, 0440) == -1) { - ErrorExit(CHMOD_ERROR, ARGV0, AUTH_FILE, errno, strerror(errno)); + if (chmod(authfile, 0440) == -1) { + ErrorExit(CHMOD_ERROR, ARGV0, authfile, errno, strerror(errno)); } #endif From 083a5f4cc07e3077490feba1d331bcdd6ed7cdcd Mon Sep 17 00:00:00 2001 From: "Scott R. Shinn" Date: Wed, 8 Feb 2017 18:01:49 -0500 Subject: [PATCH 2/2] Update documentation and other files for 2.9 Signed-off-by: Scott R. Shinn --- BUGS | 16 +++++---- CHANGELOG | 94 +++++++++++++++++++++++++++++++++++++++++++++++++--- CONFIG | 6 ++-- CONTRIBUTORS | 10 +++--- INSTALL | 4 +-- LICENSE | 2 +- README.md | 4 +-- 7 files changed, 113 insertions(+), 23 deletions(-) diff --git a/BUGS b/BUGS index 71b23e7ca..46506d9a2 100644 --- a/BUGS +++ b/BUGS @@ -1,12 +1,10 @@ -OSSEC v2.8 -Copyright (C) 2014 Trend Micro Inc. +OSSEC v2.9 +Copyright (C) 2017 Trend Micro Inc. ** Reporting bugs ** -Bugs should be sent to the OSSEC mailling list -(ossec-list@ossec.net). Please, make sure to include -the following information: +Please, make sure to include the following information: -OSSEC version number. -Content of /etc/ossec-init.conf @@ -16,5 +14,11 @@ the following information: -Any other relevant information. + +Github (Public Issue Reporting): +https://github.com/ossec/ossec-hids/issues + +Email (Private Issue Reporting): If you prefer to contact us privately or if it is a security -issue, send an e-mail to OSSEC Project ( ossec@trendmicro.com ). +issue, send an e-mail to OSSEC Project ( ossec@ossec-hids.org ). + diff --git a/CHANGELOG b/CHANGELOG index de4768e3a..daeff1bc0 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,8 +1,94 @@ -OSSEC changelog. +OSSEC changelog (2.9.0) +Release Maintainers -Changes at the -latest version - * Feature: Added hourly and daily options to the logcollecor frequency. - * Bug fix: Glob() implementation on logcollector. +Dan Parriott +Scott R. Shinn (Atomicorp, Inc.) +Whats New + Alert Output support for JSON and ZeroMQ + Syscheck improvements + Report file deletion, even without realtime enabled + Report modifications made on directories + Corrects bug so that files created between the first and second scan are reported as new files + Corrects bug that made changes reverting a file to the state it was in when ossec started unreported + Avoids computing hashes multiple times to improve performance + Make the time between two syscheck wakeups configurable in internal_options + Add support for the “nodiff” option when using report_changes, sensitive files tagged with in ossec.conf will not have their contents included in an alert. + IPv6 support + Support to call an external mailer. This solves the problem of supporting encryption when sending mail alerts in OSSEC. The field can now be prepended with “/” to designate a local binary. Example: “/usr/sbin/sendmail -t”. + Slack notification support + + +New Rules / Decoders + + PR#572: Rules/Decoders, Better Dropbear events detection + PR#602: Rules/Decoders, Add dropbear_rules and unbound_rules + PR#604: Rules/Decoders,sid 5300 incorrectly alerts on OS X + PR#607, Rules/Decoders, Update syslog_rules for OSX false positive + PR#611: Rules/Decoders, Sysmon decoder update, This should better support Windows 2003 R2. + PR#643, Rules/Decoders, update to IIS decoder + PR#654, Rules/Decoders, update to the vsftpd decoder + PR#668: Rules/Decoders, Fix for Cisco PIX decoder, ms-se_rules.xml, msauth_rules.xml + PR#721: Rules/Decoders, Update for sytemd rules to add support for new program_name, systemctl + PR#746: Rules/Decoders, Update to the apache decoders to handle Apache 2.4 events more gracefully + PR#755: Rules/Decoders, Update to ssh rules. Adds rules 5750-5753 to dedect client, protocol, and hostkey events + PR#762: Rules/Decoders, Update to ssh rules. Associates 5751 with 5700 instead of 1002 + PR#763: Rules/Decoders, Add rules for OpenBSD smtpd + PR#774: Rules/Decoders, Add OpenBSD smtpd rules + PR#787: Rules/Decoders, Update to OpenBSD smtpd decoder to not conflict with postfix + PR#786: Rules/Decoders, SSH Rule improvements + PR#799: Rules/Decoders, Add rule for users not in sudoers + PR#803: Rules/Decoders, Add additional sshd decoders for ssh-pam & ssh invalid auth requests + +General + + PR #2, Output, Adds ZeroMQ and Json output support + PR #4, Authd, Bugfix for Openssl operations on non-blocking socket + PR #563: IPv6 support + PR #599, Allow for the log format in proftpd 1.3.5+ + PR #610: Execd, Reduce system load caused by simultaneous active response processes during ossec stop. #610 + PR #615: Adds support for Binding src IP to ‘local_ip’ config value in agentd. In mulihomed host environment we have a big problem with binding agent to correct ip. By default agentd used ip-addr of interface, from which sented ip-packets. + PR #617: Agentd, Add CLIENT to DEFINES for winagent target #617 Bugfix #595 + PR #622: Fix for CVE-2015-3222 + PR #631, Log failure when ossec fails to remove a PID file + PR #652, Syscheck, add support for the “-t” flag to display XML parsing errors in agent.conf on agents + PR #657: Syscheck, Allows scanning of directories with , in the name. Let directory check_something=”no” options to work. This means you can do instead of listing out all the ones you want to use. + PR #670: Syscheck, Bugfix for report_changes + PR #689: Maild, add support to call an external MTA to send alert emails. The smtp_server setting can now be written as “/usr/sbin/sendmail -t” + PR #690: Cleanup for building on OSX + PR #691: adds support for syslog messages that prepend the year, ie: “2015 Nov 13 ....” + PR #696: Bugfix for OpenBSD sendto() sockaddr length restrictions. + PR #699: Encompassing only complete statements with conditional directives. + PR #717: Active Response, add Slack (www.slack.com) notification support + PR #720: Fixes for the statfs error spam + PR #724: Authd, bugfix for issue #642, This brings ossec-authd into parity with whatever the MAX_AGENTS is set at build time + PR #726: Make syslog/cef consistent with json/splunk and add classification field to alerts. + PR #727: Maild, Add support for “email_reply_to”. This allows configuing the Reply-To: field in email alerts sent from ossec-maild + PR #740: Remoted, bugfix for issue #739, Ossec will now report the agent ID of the agent that tries to conect + PR #744: Syscheck, Bugfix for issue #42, corrects issue on windows that would produce an incorrect hash + PR #749: Windows, Changed Makefile to use Windows subsystem only wth UI manager + PR #750: Analysisd, Fixes glob() impelemtation bug, adds Hourly/Daily options to logcollector, improved dfalts to analysisd diff alerts. + PR #751: Add simple python rule updater script + PR #754: Install.sh, Bugfix for OpenBSD adduser support + PR #765: Syscheck, add “nodiff” support. Sensitive data may leak through the diff attached to alerts when some file changes. This pull request add a nodiff option, which allows to explicitely set files for which we never want to output a diff. + PR #768: Analysisd, Bugfix for Issue #767, increase of value for stats + PR #770: Database support, Postgres support updates + PR #781: Syscheck, Bugfix for Issue #780 + PR #788: System Audit, Add PCI DSS tags to RHEL/CentOS/Cloudlinux auditing tests + PR #789: Install.sh, Use ls for file existance checks, for cross platform compatibility + PR #791: Syscheck, add /boot to default directories. Fix for Issue #675 + PR #797: Rootcheck, Remove legacy rootcheck options + PR #798: System Audit, Add RHEL/CentOS/Cloudlinux 7 CIS benchmarks + PR #802: Database support, Allow for longer entries in the system informtaion column + PR #849 Format string security fix + PR #864 Fix ossec-logtest to chroot when testing check_diff rules + PR #870 Fix installer permissions on the etc/shared directory + PR #878 Fix version field to correctly report "2.9.0" instead of 2.8.3 + PR #909 Bugfix for decoders.d/rules.d logtest + PR #920 Bugfixes for OS_IPFound, OS_IPFoundList, OS_IsValidIP + PR #923 Security fix for SQLi in al_data->location + PR #926 Rootcheck, updates or EL7 + PR #945 Remove debug message + PR #986 - Prevent manage_agents from chrooting in bulk mode diff --git a/CONFIG b/CONFIG index 4f512b3eb..7eebd5c74 100644 --- a/CONFIG +++ b/CONFIG @@ -1,5 +1,5 @@ -OSSEC v2.8 -Copyright (C) 2014 Trend Micro Inc. +OSSEC v2.9.0 +Copyright (C) 2017 Trend Micro Inc. = Information about OSSEC = @@ -16,4 +16,4 @@ See INSTALL Just follow the steps from the install.sh script. More information at -http://www.ossec.net/doc/manual/index.html +https://ossec-docs.readthedocs.io/en/latest/manual/index.html diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 8a3ac0c64..716dd8206 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -1,20 +1,20 @@ -OSSEC v2.8 -Copyright (C) 2014 Trend Micro Inc. +OSSEC v2.9.0 +Copyright (C) 2017 Trend Micro Inc. Many thanks to everyone who contributed and helped with the ossec project. Below is the list of all the people who helped us since our first release (0.1). -(if you feel you should be here, but it is not, let us know). +(if you feel you should be here, but it is not, let scott@atomicorp.com know). -Development - Daniel B. Cid + - Dan Parriott - Jeremy Rossi - Michael Starks - - Dan Parriott - Meir Michanie - Slava Semushin - Ahmet Ozturk - - Scott R. Shinn + - Scott R. Shinn