Description: The mod_if module monitors various aspects of network interfaces for change, including IP, Hardware Address, broadcast, MTU, metric, and promiscuous mode. Version: 0.2 diff -ruN osiris-4.1.9-old/src/osirisd/modules/mod_if/Makefile osiris-4.1.9-new/src/osirisd/modules/mod_if/Makefile --- osiris-4.1.9-old/src/osirisd/modules/mod_if/Makefile 1970-01-01 01:00:00.000000000 +0100 +++ osiris-4.1.9-new/src/osirisd/modules/mod_if/Makefile 2005-10-07 02:19:17.000000000 +0200 @@ -0,0 +1,16 @@ + +include ../Makefile + +SRCS=mod_if.c +OBJS=$(SRCS:.c=.o) + +module: ${SRCS} ${OBJS} + +INCS=-I../.. -I../../../libosiris -I../../../libfileapi -I../../../.. + +# meta-rule for compiling any "C" source file. +$(OBJS): $(SRCS) + $(CC) $(DEFS) $(DEFAULT_INCLUDES) ${INCLUDES} ${INCS} $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c $(SRCS) + cp $@ .. + diff -ruN osiris-4.1.9-old/src/osirisd/modules/mod_if/README osiris-4.1.9-new/src/osirisd/modules/mod_if/README --- osiris-4.1.9-old/src/osirisd/modules/mod_if/README 1970-01-01 01:00:00.000000000 +0100 +++ osiris-4.1.9-new/src/osirisd/modules/mod_if/README 2005-10-07 02:19:17.000000000 +0200 @@ -0,0 +1,42 @@ + +Module: mod_if +Author: Brian Wotring (brian@hostintegrity.com) + + + +DESCRIPTION: + +The mod_if module is designed originally to monitor the promisc flag +on network interfaces, but quickly turned into being able to monitor +various aspects of network interfaces including hardware address, +IP address, broadcast, MTU, and metric. + +This module is somewhat different in that each record is an element +about a network interface as opposed to one record per interface. This +will make it easier to add more elements to be monitored, easier to +filter, and easier to understand alerts. + +USE: + +To use this module, all that is needed is to include it in the Modules +block of a scan configuration, e.g.: + + + ... + Include mod_if + ... + + + +PARAMETERS: + +There are no parameters for this module. + +PLATFORMS: + +Currently, this module is only implemented for Linux. + +NOTES: + + + diff -ruN osiris-4.1.9-old/src/osirisd/modules/mod_if/mod_if.c osiris-4.1.9-new/src/osirisd/modules/mod_if/mod_if.c --- osiris-4.1.9-old/src/osirisd/modules/mod_if/mod_if.c 1970-01-01 01:00:00.000000000 +0100 +++ osiris-4.1.9-new/src/osirisd/modules/mod_if/mod_if.c 2005-10-07 02:19:17.000000000 +0200 @@ -0,0 +1,317 @@ + +/****************************************************************************** +** +** Copyright (C) 2005 Brian Wotring. +** +** This program is free software; you can redistribute it and/or +** modify it, however, you cannot sell it. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +** +** You should have received a copy of the license attached to the +** use of this software. If not, view a current copy of the license +** file here: +** +** http://www.hostintegrity.com/osiris/LICENSE +** +******************************************************************************/ + +/***************************************************************************** +** +** File: mod_if.c +** Date: September 23, 2005 +** +** Author: Brian Wotring +** Purpose: platform specific methods for monitoring network devices. +** +******************************************************************************/ + + +/* CODE USED IN THIS MODULE WAS ORIGINALLY TAKEN FROM: +* +* http://mail.nl.linux.org/kernelnewbies/2003-05/msg00090.html +*/ + +static const char *MODULE_NAME = "mod_if"; + + +#ifndef WIN32 +#include "config.h" +#endif + +#include +#include + +#ifndef WIN32 +#include +#include +#include + +#include +#include +#include +#endif + +#include +#include +#include + + +#include "libosiris.h" +#include "libfileapi.h" +#include "rootpriv.h" +#include "common.h" +#include "version.h" + +#include "scanner.h" +#include "logging.h" + + +#define inaddrr(x) (*(struct in_addr *) &ifr->x[sizeof sa.sin_port]) +#define IFRSIZE ((int)(size * sizeof (struct ifreq))) + +void process_if_unix( SCANNER *scanner ) +{ + unsigned char*u; + int sockfd, size = 1; + struct ifreq *ifr; + struct ifconf ifc; + struct sockaddr_in sa; + + SCAN_RECORD_TEXT_1 record; + + /* Make sure we are able to create sockets */ + + if ( (sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP)) < 0 ) + { + log_error( "mod_if unable to create socket!" ); + return; + } + + ifc.ifc_len = IFRSIZE; + ifc.ifc_req = NULL; + + do + { + ++size; + + /* realloc buffer size until no overflow occurs */ + + if ((ifc.ifc_req = realloc(ifc.ifc_req, IFRSIZE)) == NULL ) + { + log_error( "out of memory!!!" ); + return; + } + + ifc.ifc_len = IFRSIZE; + + if (ioctl(sockfd, SIOCGIFCONF, &ifc)) + { + log_error("ioctl failure: SIOCFIFCONF"); + return; + } + + } while (IFRSIZE <= ifc.ifc_len); + + ifr = ifc.ifc_req; + + for (;(char *) ifr < (char *) ifc.ifc_req + ifc.ifc_len; ++ifr) + { + if (ifr->ifr_addr.sa_data == (ifr+1)->ifr_addr.sa_data) + { + continue; /* duplicate, skip it */ + } + + if (ioctl(sockfd, SIOCGIFFLAGS, ifr)) + { + continue; /* failed to get flags, skip it */ + } + + initialize_scan_record( (SCAN_RECORD *)&record, + SCAN_RECORD_TYPE_TEXT_1 ); + + osi_strlcpy( record.module_name, MODULE_NAME, + sizeof( record.module_name ) ); + + osi_snprintf( record.name, sizeof( record.name ), + "if:%s:IP", ifr->ifr_name ); + + osi_snprintf( record.data, sizeof( record.data ), + "%s", inet_ntoa(inaddrr(ifr_addr.sa_data))); + + send_scan_data( scanner, (SCAN_RECORD *)&record ); + + /* + * This won't work on HP-UX 10.20 as there's no SIOCGIFHWADDR ioctl. You'll + * need to use DLPI or the NETSTAT ioctl on /dev/lan0, etc (and you'll need + * to be root to use the NETSTAT ioctl. Also this is deprecated and doesn't + * work on 11.00). + * + * On Digital Unix you can use the SIOCRPHYSADDR ioctl according to an old + * utility I have. Also on SGI I think you need to use a raw socket, e.g. s + * = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP) + * + * Dave + * + * From: David Peter + **/ + + if ( ioctl(sockfd, SIOCGIFHWADDR, ifr) == 0 ) + { + /* Select which hardware types to process. + ** + ** See list in system include file included from + ** /usr/include/net/if_arp.h (For example, on + ** Linux see file /usr/include/linux/if_arp.h to + ** get the list.) + **/ + + switch (ifr->ifr_hwaddr.sa_family) + { + default: + continue; + + case ARPHRD_NETROM: + case ARPHRD_ETHER: + case ARPHRD_PPP: + case ARPHRD_EETHER: + case ARPHRD_IEEE802: + break; + } + + u = (unsigned char *) &ifr->ifr_addr.sa_data; + + /* send record for MAC for this interface */ + + if (u[0] + u[1] + u[2] + u[3] + u[4] + u[5]) + { + initialize_scan_record( (SCAN_RECORD *)&record, + SCAN_RECORD_TYPE_TEXT_1 ); + + osi_strlcpy( record.module_name, MODULE_NAME, + sizeof( record.module_name ) ); + + osi_snprintf( record.name, sizeof( record.name ), + "if:%s:MAC", ifr->ifr_name ); + + osi_snprintf( record.data, sizeof( record.data ), + "%2.2x.%2.2x.%2.2x.%2.2x.%2.2x.%2.2x", + u[0], u[1], u[2], u[3], u[4], u[5]); + + send_scan_data( scanner, (SCAN_RECORD *)&record ); + } + } + + if ( ioctl(sockfd, SIOCGIFNETMASK, ifr) == 0 && + strcmp("255.255.255.255", inet_ntoa(inaddrr(ifr_addr.sa_data)))) + { + initialize_scan_record( (SCAN_RECORD *)&record, + SCAN_RECORD_TYPE_TEXT_1 ); + + osi_strlcpy( record.module_name, MODULE_NAME, + sizeof( record.module_name ) ); + + osi_snprintf( record.name, sizeof( record.name ), + "if:%s:NETMASK", ifr->ifr_name ); + + osi_snprintf( record.data, sizeof( record.data ), + "%s", inet_ntoa(inaddrr(ifr_addr.sa_data))); + + send_scan_data( scanner, (SCAN_RECORD *)&record ); + } + + if (ifr->ifr_flags & IFF_BROADCAST) + { + if ( ioctl(sockfd, SIOCGIFBRDADDR, ifr) == 0 && + strcmp("0.0.0.0", inet_ntoa(inaddrr(ifr_addr.sa_data)))) + { + + initialize_scan_record( (SCAN_RECORD *)&record, + SCAN_RECORD_TYPE_TEXT_1 ); + + osi_strlcpy( record.module_name, MODULE_NAME, + sizeof( record.module_name ) ); + + osi_snprintf( record.name, sizeof( record.name ), + "if:%s:BROADCAST", ifr->ifr_name ); + + osi_snprintf( record.data, sizeof( record.data ), + "%s",inet_ntoa(inaddrr(ifr_addr.sa_data))); + + send_scan_data( scanner, (SCAN_RECORD *)&record ); + } + } + + /* Added by David Vasil to check for Promiscuous mode */ + + initialize_scan_record( (SCAN_RECORD *)&record, + SCAN_RECORD_TYPE_TEXT_1 ); + + osi_strlcpy( record.module_name, MODULE_NAME, + sizeof( record.module_name ) ); + + + osi_snprintf( record.name, sizeof( record.name ), + "if:%s:PROMISC", ifr->ifr_name ); + + if ( ioctl(sockfd, SIOCGIFFLAGS, ifr) == 0 && + ifr->ifr_flags & IFF_PROMISC) + { + osi_strlcpy( record.data, "ENABLED", sizeof( record.data ) ); + } + + else + { + osi_strlcpy( record.data, "DISABLED", sizeof( record.data ) ); + } + + send_scan_data( scanner, (SCAN_RECORD *)&record ); + + + if ( ioctl(sockfd, SIOCGIFMTU, ifr) == 0 ) + { + initialize_scan_record( (SCAN_RECORD *)&record, + SCAN_RECORD_TYPE_TEXT_1 ); + + osi_strlcpy( record.module_name, MODULE_NAME, + sizeof( record.module_name ) ); + + osi_snprintf( record.name, sizeof( record.name ), + "if:%s:MTU", ifr->ifr_name ); + + osi_snprintf( record.data, sizeof( record.data ), + "%u", ifr->ifr_mtu ); + + send_scan_data( scanner, (SCAN_RECORD *)&record ); + } + + if ( ioctl(sockfd, SIOCGIFMETRIC, ifr) == 0 ) + { + initialize_scan_record( (SCAN_RECORD *)&record, + SCAN_RECORD_TYPE_TEXT_1 ); + + osi_strlcpy( record.module_name, MODULE_NAME, + sizeof( record.module_name ) ); + + osi_snprintf( record.name, sizeof( record.name ), + "if:%s:METRIC", ifr->ifr_name ); + + osi_snprintf( record.data, sizeof( record.data ), + "%u", ifr->ifr_metric ); + + send_scan_data( scanner, (SCAN_RECORD *)&record ); + } + } + + close(sockfd); +} + +void mod_if( SCANNER *scanner ) +{ +#if defined(SYSTEM_LINUX) + process_if_unix( scanner ); +#endif + +}