1 Description: The mod_if module monitors various aspects of network
2 interfaces for change, including IP, Hardware Address,
3 broadcast, MTU, metric, and promiscuous mode.
6 diff -ruN osiris-4.1.9-old/src/osirisd/modules/mod_if/Makefile osiris-4.1.9-new/src/osirisd/modules/mod_if/Makefile
7 --- osiris-4.1.9-old/src/osirisd/modules/mod_if/Makefile 1970-01-01 01:00:00.000000000 +0100
8 +++ osiris-4.1.9-new/src/osirisd/modules/mod_if/Makefile 2005-10-07 02:19:17.000000000 +0200
16 +module: ${SRCS} ${OBJS}
18 +INCS=-I../.. -I../../../libosiris -I../../../libfileapi -I../../../..
20 +# meta-rule for compiling any "C" source file.
22 + $(CC) $(DEFS) $(DEFAULT_INCLUDES) ${INCLUDES} ${INCS} $(AM_CPPFLAGS) \
23 + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c $(SRCS)
26 diff -ruN osiris-4.1.9-old/src/osirisd/modules/mod_if/README osiris-4.1.9-new/src/osirisd/modules/mod_if/README
27 --- osiris-4.1.9-old/src/osirisd/modules/mod_if/README 1970-01-01 01:00:00.000000000 +0100
28 +++ osiris-4.1.9-new/src/osirisd/modules/mod_if/README 2005-10-07 02:19:17.000000000 +0200
32 +Author: Brian Wotring (brian@hostintegrity.com)
38 +The mod_if module is designed originally to monitor the promisc flag
39 +on network interfaces, but quickly turned into being able to monitor
40 +various aspects of network interfaces including hardware address,
41 +IP address, broadcast, MTU, and metric.
43 +This module is somewhat different in that each record is an element
44 +about a network interface as opposed to one record per interface. This
45 +will make it easier to add more elements to be monitored, easier to
46 +filter, and easier to understand alerts.
50 +To use this module, all that is needed is to include it in the Modules
51 +block of a scan configuration, e.g.:
62 +There are no parameters for this module.
66 +Currently, this module is only implemented for Linux.
72 diff -ruN osiris-4.1.9-old/src/osirisd/modules/mod_if/mod_if.c osiris-4.1.9-new/src/osirisd/modules/mod_if/mod_if.c
73 --- osiris-4.1.9-old/src/osirisd/modules/mod_if/mod_if.c 1970-01-01 01:00:00.000000000 +0100
74 +++ osiris-4.1.9-new/src/osirisd/modules/mod_if/mod_if.c 2005-10-07 02:19:17.000000000 +0200
77 +/******************************************************************************
\r
79 +** Copyright (C) 2005 Brian Wotring.
\r
81 +** This program is free software; you can redistribute it and/or
\r
82 +** modify it, however, you cannot sell it.
\r
84 +** This program is distributed in the hope that it will be useful,
\r
85 +** but WITHOUT ANY WARRANTY; without even the implied warranty of
\r
86 +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
\r
88 +** You should have received a copy of the license attached to the
\r
89 +** use of this software. If not, view a current copy of the license
\r
92 +** http://www.hostintegrity.com/osiris/LICENSE
\r
94 +******************************************************************************/
\r
96 +/*****************************************************************************
\r
99 +** Date: September 23, 2005
\r
101 +** Author: Brian Wotring
\r
102 +** Purpose: platform specific methods for monitoring network devices.
\r
104 +******************************************************************************/
\r
107 +/* CODE USED IN THIS MODULE WAS ORIGINALLY TAKEN FROM:
\r
109 +* http://mail.nl.linux.org/kernelnewbies/2003-05/msg00090.html
\r
112 +static const char *MODULE_NAME = "mod_if";
\r
116 +#include "config.h"
\r
119 +#include <stdio.h>
\r
120 +#include <stdlib.h>
\r
123 +#include <unistd.h>
\r
124 +#include <string.h>
\r
125 +#include <errno.h>
\r
127 +#include <sys/socket.h>
\r
128 +#include <sys/types.h>
\r
129 +#include <net/if.h>
\r
132 +#include <sys/ioctl.h>
\r
133 +#include <net/if_arp.h>
\r
134 +#include <arpa/inet.h>
\r
137 +#include "libosiris.h"
\r
138 +#include "libfileapi.h"
\r
139 +#include "rootpriv.h"
\r
140 +#include "common.h"
\r
141 +#include "version.h"
\r
143 +#include "scanner.h"
\r
144 +#include "logging.h"
\r
147 +#define inaddrr(x) (*(struct in_addr *) &ifr->x[sizeof sa.sin_port])
\r
148 +#define IFRSIZE ((int)(size * sizeof (struct ifreq)))
\r
150 +void process_if_unix( SCANNER *scanner )
\r
153 + int sockfd, size = 1;
\r
154 + struct ifreq *ifr;
\r
155 + struct ifconf ifc;
\r
156 + struct sockaddr_in sa;
\r
158 + SCAN_RECORD_TEXT_1 record;
\r
160 + /* Make sure we are able to create sockets */
\r
162 + if ( (sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP)) < 0 )
\r
164 + log_error( "mod_if unable to create socket!" );
\r
168 + ifc.ifc_len = IFRSIZE;
\r
169 + ifc.ifc_req = NULL;
\r
175 + /* realloc buffer size until no overflow occurs */
\r
177 + if ((ifc.ifc_req = realloc(ifc.ifc_req, IFRSIZE)) == NULL )
\r
179 + log_error( "out of memory!!!" );
\r
183 + ifc.ifc_len = IFRSIZE;
\r
185 + if (ioctl(sockfd, SIOCGIFCONF, &ifc))
\r
187 + log_error("ioctl failure: SIOCFIFCONF");
\r
191 + } while (IFRSIZE <= ifc.ifc_len);
\r
193 + ifr = ifc.ifc_req;
\r
195 + for (;(char *) ifr < (char *) ifc.ifc_req + ifc.ifc_len; ++ifr)
\r
197 + if (ifr->ifr_addr.sa_data == (ifr+1)->ifr_addr.sa_data)
\r
199 + continue; /* duplicate, skip it */
\r
202 + if (ioctl(sockfd, SIOCGIFFLAGS, ifr))
\r
204 + continue; /* failed to get flags, skip it */
\r
207 + initialize_scan_record( (SCAN_RECORD *)&record,
\r
208 + SCAN_RECORD_TYPE_TEXT_1 );
\r
210 + osi_strlcpy( record.module_name, MODULE_NAME,
\r
211 + sizeof( record.module_name ) );
\r
213 + osi_snprintf( record.name, sizeof( record.name ),
\r
214 + "if:%s:IP", ifr->ifr_name );
\r
216 + osi_snprintf( record.data, sizeof( record.data ),
\r
217 + "%s", inet_ntoa(inaddrr(ifr_addr.sa_data)));
\r
219 + send_scan_data( scanner, (SCAN_RECORD *)&record );
\r
222 + * This won't work on HP-UX 10.20 as there's no SIOCGIFHWADDR ioctl. You'll
\r
223 + * need to use DLPI or the NETSTAT ioctl on /dev/lan0, etc (and you'll need
\r
224 + * to be root to use the NETSTAT ioctl. Also this is deprecated and doesn't
\r
225 + * work on 11.00).
\r
227 + * On Digital Unix you can use the SIOCRPHYSADDR ioctl according to an old
\r
228 + * utility I have. Also on SGI I think you need to use a raw socket, e.g. s
\r
229 + * = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP)
\r
233 + * From: David Peter <dave.peter@eu.citrix.com>
\r
236 + if ( ioctl(sockfd, SIOCGIFHWADDR, ifr) == 0 )
\r
238 + /* Select which hardware types to process.
\r
240 + ** See list in system include file included from
\r
241 + ** /usr/include/net/if_arp.h (For example, on
\r
242 + ** Linux see file /usr/include/linux/if_arp.h to
\r
243 + ** get the list.)
\r
246 + switch (ifr->ifr_hwaddr.sa_family)
\r
251 + case ARPHRD_NETROM:
\r
252 + case ARPHRD_ETHER:
\r
254 + case ARPHRD_EETHER:
\r
255 + case ARPHRD_IEEE802:
\r
259 + u = (unsigned char *) &ifr->ifr_addr.sa_data;
\r
261 + /* send record for MAC for this interface */
\r
263 + if (u[0] + u[1] + u[2] + u[3] + u[4] + u[5])
\r
265 + initialize_scan_record( (SCAN_RECORD *)&record,
\r
266 + SCAN_RECORD_TYPE_TEXT_1 );
\r
268 + osi_strlcpy( record.module_name, MODULE_NAME,
\r
269 + sizeof( record.module_name ) );
\r
271 + osi_snprintf( record.name, sizeof( record.name ),
\r
272 + "if:%s:MAC", ifr->ifr_name );
\r
274 + osi_snprintf( record.data, sizeof( record.data ),
\r
275 + "%2.2x.%2.2x.%2.2x.%2.2x.%2.2x.%2.2x",
\r
276 + u[0], u[1], u[2], u[3], u[4], u[5]);
\r
278 + send_scan_data( scanner, (SCAN_RECORD *)&record );
\r
282 + if ( ioctl(sockfd, SIOCGIFNETMASK, ifr) == 0 &&
\r
283 + strcmp("255.255.255.255", inet_ntoa(inaddrr(ifr_addr.sa_data))))
\r
285 + initialize_scan_record( (SCAN_RECORD *)&record,
\r
286 + SCAN_RECORD_TYPE_TEXT_1 );
\r
288 + osi_strlcpy( record.module_name, MODULE_NAME,
\r
289 + sizeof( record.module_name ) );
\r
291 + osi_snprintf( record.name, sizeof( record.name ),
\r
292 + "if:%s:NETMASK", ifr->ifr_name );
\r
294 + osi_snprintf( record.data, sizeof( record.data ),
\r
295 + "%s", inet_ntoa(inaddrr(ifr_addr.sa_data)));
\r
297 + send_scan_data( scanner, (SCAN_RECORD *)&record );
\r
300 + if (ifr->ifr_flags & IFF_BROADCAST)
\r
302 + if ( ioctl(sockfd, SIOCGIFBRDADDR, ifr) == 0 &&
\r
303 + strcmp("0.0.0.0", inet_ntoa(inaddrr(ifr_addr.sa_data))))
\r
306 + initialize_scan_record( (SCAN_RECORD *)&record,
\r
307 + SCAN_RECORD_TYPE_TEXT_1 );
\r
309 + osi_strlcpy( record.module_name, MODULE_NAME,
\r
310 + sizeof( record.module_name ) );
\r
312 + osi_snprintf( record.name, sizeof( record.name ),
\r
313 + "if:%s:BROADCAST", ifr->ifr_name );
\r
315 + osi_snprintf( record.data, sizeof( record.data ),
\r
316 + "%s",inet_ntoa(inaddrr(ifr_addr.sa_data)));
\r
318 + send_scan_data( scanner, (SCAN_RECORD *)&record );
\r
322 + /* Added by David Vasil to check for Promiscuous mode */
\r
324 + initialize_scan_record( (SCAN_RECORD *)&record,
\r
325 + SCAN_RECORD_TYPE_TEXT_1 );
\r
327 + osi_strlcpy( record.module_name, MODULE_NAME,
\r
328 + sizeof( record.module_name ) );
\r
331 + osi_snprintf( record.name, sizeof( record.name ),
\r
332 + "if:%s:PROMISC", ifr->ifr_name );
\r
334 + if ( ioctl(sockfd, SIOCGIFFLAGS, ifr) == 0 &&
\r
335 + ifr->ifr_flags & IFF_PROMISC)
\r
337 + osi_strlcpy( record.data, "ENABLED", sizeof( record.data ) );
\r
342 + osi_strlcpy( record.data, "DISABLED", sizeof( record.data ) );
\r
345 + send_scan_data( scanner, (SCAN_RECORD *)&record );
\r
348 + if ( ioctl(sockfd, SIOCGIFMTU, ifr) == 0 )
\r
350 + initialize_scan_record( (SCAN_RECORD *)&record,
\r
351 + SCAN_RECORD_TYPE_TEXT_1 );
\r
353 + osi_strlcpy( record.module_name, MODULE_NAME,
\r
354 + sizeof( record.module_name ) );
\r
356 + osi_snprintf( record.name, sizeof( record.name ),
\r
357 + "if:%s:MTU", ifr->ifr_name );
\r
359 + osi_snprintf( record.data, sizeof( record.data ),
\r
360 + "%u", ifr->ifr_mtu );
\r
362 + send_scan_data( scanner, (SCAN_RECORD *)&record );
\r
365 + if ( ioctl(sockfd, SIOCGIFMETRIC, ifr) == 0 )
\r
367 + initialize_scan_record( (SCAN_RECORD *)&record,
\r
368 + SCAN_RECORD_TYPE_TEXT_1 );
\r
370 + osi_strlcpy( record.module_name, MODULE_NAME,
\r
371 + sizeof( record.module_name ) );
\r
373 + osi_snprintf( record.name, sizeof( record.name ),
\r
374 + "if:%s:METRIC", ifr->ifr_name );
\r
376 + osi_snprintf( record.data, sizeof( record.data ),
\r
377 + "%u", ifr->ifr_metric );
\r
379 + send_scan_data( scanner, (SCAN_RECORD *)&record );
\r
386 +void mod_if( SCANNER *scanner )
\r
388 +#if defined(SYSTEM_LINUX)
\r
389 + process_if_unix( scanner );
\r