Port osiris to -ng
[openwrt/svn-archive/archive.git] / admin / osiris / patches / mod_if.patch
1 Description: The mod_if module monitors various aspects of network
2 interfaces for change, including IP, Hardware Address,
3 broadcast, MTU, metric, and promiscuous mode.
4 Version: 0.2
5
6 diff -ruN osiris-4.1.9-old/src/osirisd/modules/mod_if/Makefile osiris-4.1.9-new/src/osirisd/modules/mod_if/Makefile
7 --- osiris-4.1.9-old/src/osirisd/modules/mod_if/Makefile 1970-01-01 01:00:00.000000000 +0100
8 +++ osiris-4.1.9-new/src/osirisd/modules/mod_if/Makefile 2005-10-07 02:19:17.000000000 +0200
9 @@ -0,0 +1,16 @@
10 +
11 +include ../Makefile
12 +
13 +SRCS=mod_if.c
14 +OBJS=$(SRCS:.c=.o)
15 +
16 +module: ${SRCS} ${OBJS}
17 +
18 +INCS=-I../.. -I../../../libosiris -I../../../libfileapi -I../../../..
19 +
20 +# meta-rule for compiling any "C" source file.
21 +$(OBJS): $(SRCS)
22 + $(CC) $(DEFS) $(DEFAULT_INCLUDES) ${INCLUDES} ${INCS} $(AM_CPPFLAGS) \
23 + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c $(SRCS)
24 + cp $@ ..
25 +
26 diff -ruN osiris-4.1.9-old/src/osirisd/modules/mod_if/README osiris-4.1.9-new/src/osirisd/modules/mod_if/README
27 --- osiris-4.1.9-old/src/osirisd/modules/mod_if/README 1970-01-01 01:00:00.000000000 +0100
28 +++ osiris-4.1.9-new/src/osirisd/modules/mod_if/README 2005-10-07 02:19:17.000000000 +0200
29 @@ -0,0 +1,42 @@
30 +
31 +Module: mod_if
32 +Author: Brian Wotring (brian@hostintegrity.com)
33 +
34 +
35 +
36 +DESCRIPTION:
37 +
38 +The mod_if module is designed originally to monitor the promisc flag
39 +on network interfaces, but quickly turned into being able to monitor
40 +various aspects of network interfaces including hardware address,
41 +IP address, broadcast, MTU, and metric.
42 +
43 +This module is somewhat different in that each record is an element
44 +about a network interface as opposed to one record per interface. This
45 +will make it easier to add more elements to be monitored, easier to
46 +filter, and easier to understand alerts.
47 +
48 +USE:
49 +
50 +To use this module, all that is needed is to include it in the Modules
51 +block of a scan configuration, e.g.:
52 +
53 + <Modules>
54 + ...
55 + Include mod_if
56 + ...
57 + </Modules>
58 +
59 +
60 +PARAMETERS:
61 +
62 +There are no parameters for this module.
63 +
64 +PLATFORMS:
65 +
66 +Currently, this module is only implemented for Linux.
67 +
68 +NOTES:
69 +
70 +
71 +
72 diff -ruN osiris-4.1.9-old/src/osirisd/modules/mod_if/mod_if.c osiris-4.1.9-new/src/osirisd/modules/mod_if/mod_if.c
73 --- osiris-4.1.9-old/src/osirisd/modules/mod_if/mod_if.c 1970-01-01 01:00:00.000000000 +0100
74 +++ osiris-4.1.9-new/src/osirisd/modules/mod_if/mod_if.c 2005-10-07 02:19:17.000000000 +0200
75 @@ -0,0 +1,317 @@
76 +
77 +/******************************************************************************
78 +**
79 +** Copyright (C) 2005 Brian Wotring.
80 +**
81 +** This program is free software; you can redistribute it and/or
82 +** modify it, however, you cannot sell it.
83 +**
84 +** This program is distributed in the hope that it will be useful,
85 +** but WITHOUT ANY WARRANTY; without even the implied warranty of
86 +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
87 +**
88 +** You should have received a copy of the license attached to the
89 +** use of this software. If not, view a current copy of the license
90 +** file here:
91 +**
92 +** http://www.hostintegrity.com/osiris/LICENSE
93 +**
94 +******************************************************************************/
95 +
96 +/*****************************************************************************
97 +**
98 +** File: mod_if.c
99 +** Date: September 23, 2005
100 +**
101 +** Author: Brian Wotring
102 +** Purpose: platform specific methods for monitoring network devices.
103 +**
104 +******************************************************************************/
105 +
106 +
107 +/* CODE USED IN THIS MODULE WAS ORIGINALLY TAKEN FROM:
108 +*
109 +* http://mail.nl.linux.org/kernelnewbies/2003-05/msg00090.html
110 +*/
111 +
112 +static const char *MODULE_NAME = "mod_if";
113 +
114 +
115 +#ifndef WIN32
116 +#include "config.h"
117 +#endif
118 +
119 +#include <stdio.h>
120 +#include <stdlib.h>
121 +
122 +#ifndef WIN32
123 +#include <unistd.h>
124 +#include <string.h>
125 +#include <errno.h>
126 +
127 +#include <sys/socket.h>
128 +#include <sys/types.h>
129 +#include <net/if.h>
130 +#endif
131 +
132 +#include <sys/ioctl.h>
133 +#include <net/if_arp.h>
134 +#include <arpa/inet.h>
135 +
136 +
137 +#include "libosiris.h"
138 +#include "libfileapi.h"
139 +#include "rootpriv.h"
140 +#include "common.h"
141 +#include "version.h"
142 +
143 +#include "scanner.h"
144 +#include "logging.h"
145 +
146 +
147 +#define inaddrr(x) (*(struct in_addr *) &ifr->x[sizeof sa.sin_port])
148 +#define IFRSIZE ((int)(size * sizeof (struct ifreq)))
149 +
150 +void process_if_unix( SCANNER *scanner )
151 +{
152 + unsigned char*u;
153 + int sockfd, size = 1;
154 + struct ifreq *ifr;
155 + struct ifconf ifc;
156 + struct sockaddr_in sa;
157 +
158 + SCAN_RECORD_TEXT_1 record;
159 +
160 + /* Make sure we are able to create sockets */
161 +
162 + if ( (sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_IP)) < 0 )
163 + {
164 + log_error( "mod_if unable to create socket!" );
165 + return;
166 + }
167 +
168 + ifc.ifc_len = IFRSIZE;
169 + ifc.ifc_req = NULL;
170 +
171 + do
172 + {
173 + ++size;
174 +
175 + /* realloc buffer size until no overflow occurs */
176 +
177 + if ((ifc.ifc_req = realloc(ifc.ifc_req, IFRSIZE)) == NULL )
178 + {
179 + log_error( "out of memory!!!" );
180 + return;
181 + }
182 +
183 + ifc.ifc_len = IFRSIZE;
184 +
185 + if (ioctl(sockfd, SIOCGIFCONF, &ifc))
186 + {
187 + log_error("ioctl failure: SIOCFIFCONF");
188 + return;
189 + }
190 +
191 + } while (IFRSIZE <= ifc.ifc_len);
192 +
193 + ifr = ifc.ifc_req;
194 +
195 + for (;(char *) ifr < (char *) ifc.ifc_req + ifc.ifc_len; ++ifr)
196 + {
197 + if (ifr->ifr_addr.sa_data == (ifr+1)->ifr_addr.sa_data)
198 + {
199 + continue; /* duplicate, skip it */
200 + }
201 +
202 + if (ioctl(sockfd, SIOCGIFFLAGS, ifr))
203 + {
204 + continue; /* failed to get flags, skip it */
205 + }
206 +
207 + initialize_scan_record( (SCAN_RECORD *)&record,
208 + SCAN_RECORD_TYPE_TEXT_1 );
209 +
210 + osi_strlcpy( record.module_name, MODULE_NAME,
211 + sizeof( record.module_name ) );
212 +
213 + osi_snprintf( record.name, sizeof( record.name ),
214 + "if:%s:IP", ifr->ifr_name );
215 +
216 + osi_snprintf( record.data, sizeof( record.data ),
217 + "%s", inet_ntoa(inaddrr(ifr_addr.sa_data)));
218 +
219 + send_scan_data( scanner, (SCAN_RECORD *)&record );
220 +
221 + /*
222 + * This won't work on HP-UX 10.20 as there's no SIOCGIFHWADDR ioctl. You'll
223 + * need to use DLPI or the NETSTAT ioctl on /dev/lan0, etc (and you'll need
224 + * to be root to use the NETSTAT ioctl. Also this is deprecated and doesn't
225 + * work on 11.00).
226 + *
227 + * On Digital Unix you can use the SIOCRPHYSADDR ioctl according to an old
228 + * utility I have. Also on SGI I think you need to use a raw socket, e.g. s
229 + * = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP)
230 + *
231 + * Dave
232 + *
233 + * From: David Peter <dave.peter@eu.citrix.com>
234 + **/
235 +
236 + if ( ioctl(sockfd, SIOCGIFHWADDR, ifr) == 0 )
237 + {
238 + /* Select which hardware types to process.
239 + **
240 + ** See list in system include file included from
241 + ** /usr/include/net/if_arp.h (For example, on
242 + ** Linux see file /usr/include/linux/if_arp.h to
243 + ** get the list.)
244 + **/
245 +
246 + switch (ifr->ifr_hwaddr.sa_family)
247 + {
248 + default:
249 + continue;
250 +
251 + case ARPHRD_NETROM:
252 + case ARPHRD_ETHER:
253 + case ARPHRD_PPP:
254 + case ARPHRD_EETHER:
255 + case ARPHRD_IEEE802:
256 + break;
257 + }
258 +
259 + u = (unsigned char *) &ifr->ifr_addr.sa_data;
260 +
261 + /* send record for MAC for this interface */
262 +
263 + if (u[0] + u[1] + u[2] + u[3] + u[4] + u[5])
264 + {
265 + initialize_scan_record( (SCAN_RECORD *)&record,
266 + SCAN_RECORD_TYPE_TEXT_1 );
267 +
268 + osi_strlcpy( record.module_name, MODULE_NAME,
269 + sizeof( record.module_name ) );
270 +
271 + osi_snprintf( record.name, sizeof( record.name ),
272 + "if:%s:MAC", ifr->ifr_name );
273 +
274 + osi_snprintf( record.data, sizeof( record.data ),
275 + "%2.2x.%2.2x.%2.2x.%2.2x.%2.2x.%2.2x",
276 + u[0], u[1], u[2], u[3], u[4], u[5]);
277 +
278 + send_scan_data( scanner, (SCAN_RECORD *)&record );
279 + }
280 + }
281 +
282 + if ( ioctl(sockfd, SIOCGIFNETMASK, ifr) == 0 &&
283 + strcmp("255.255.255.255", inet_ntoa(inaddrr(ifr_addr.sa_data))))
284 + {
285 + initialize_scan_record( (SCAN_RECORD *)&record,
286 + SCAN_RECORD_TYPE_TEXT_1 );
287 +
288 + osi_strlcpy( record.module_name, MODULE_NAME,
289 + sizeof( record.module_name ) );
290 +
291 + osi_snprintf( record.name, sizeof( record.name ),
292 + "if:%s:NETMASK", ifr->ifr_name );
293 +
294 + osi_snprintf( record.data, sizeof( record.data ),
295 + "%s", inet_ntoa(inaddrr(ifr_addr.sa_data)));
296 +
297 + send_scan_data( scanner, (SCAN_RECORD *)&record );
298 + }
299 +
300 + if (ifr->ifr_flags & IFF_BROADCAST)
301 + {
302 + if ( ioctl(sockfd, SIOCGIFBRDADDR, ifr) == 0 &&
303 + strcmp("0.0.0.0", inet_ntoa(inaddrr(ifr_addr.sa_data))))
304 + {
305 +
306 + initialize_scan_record( (SCAN_RECORD *)&record,
307 + SCAN_RECORD_TYPE_TEXT_1 );
308 +
309 + osi_strlcpy( record.module_name, MODULE_NAME,
310 + sizeof( record.module_name ) );
311 +
312 + osi_snprintf( record.name, sizeof( record.name ),
313 + "if:%s:BROADCAST", ifr->ifr_name );
314 +
315 + osi_snprintf( record.data, sizeof( record.data ),
316 + "%s",inet_ntoa(inaddrr(ifr_addr.sa_data)));
317 +
318 + send_scan_data( scanner, (SCAN_RECORD *)&record );
319 + }
320 + }
321 +
322 + /* Added by David Vasil to check for Promiscuous mode */
323 +
324 + initialize_scan_record( (SCAN_RECORD *)&record,
325 + SCAN_RECORD_TYPE_TEXT_1 );
326 +
327 + osi_strlcpy( record.module_name, MODULE_NAME,
328 + sizeof( record.module_name ) );
329 +
330 +
331 + osi_snprintf( record.name, sizeof( record.name ),
332 + "if:%s:PROMISC", ifr->ifr_name );
333 +
334 + if ( ioctl(sockfd, SIOCGIFFLAGS, ifr) == 0 &&
335 + ifr->ifr_flags & IFF_PROMISC)
336 + {
337 + osi_strlcpy( record.data, "ENABLED", sizeof( record.data ) );
338 + }
339 +
340 + else
341 + {
342 + osi_strlcpy( record.data, "DISABLED", sizeof( record.data ) );
343 + }
344 +
345 + send_scan_data( scanner, (SCAN_RECORD *)&record );
346 +
347 +
348 + if ( ioctl(sockfd, SIOCGIFMTU, ifr) == 0 )
349 + {
350 + initialize_scan_record( (SCAN_RECORD *)&record,
351 + SCAN_RECORD_TYPE_TEXT_1 );
352 +
353 + osi_strlcpy( record.module_name, MODULE_NAME,
354 + sizeof( record.module_name ) );
355 +
356 + osi_snprintf( record.name, sizeof( record.name ),
357 + "if:%s:MTU", ifr->ifr_name );
358 +
359 + osi_snprintf( record.data, sizeof( record.data ),
360 + "%u", ifr->ifr_mtu );
361 +
362 + send_scan_data( scanner, (SCAN_RECORD *)&record );
363 + }
364 +
365 + if ( ioctl(sockfd, SIOCGIFMETRIC, ifr) == 0 )
366 + {
367 + initialize_scan_record( (SCAN_RECORD *)&record,
368 + SCAN_RECORD_TYPE_TEXT_1 );
369 +
370 + osi_strlcpy( record.module_name, MODULE_NAME,
371 + sizeof( record.module_name ) );
372 +
373 + osi_snprintf( record.name, sizeof( record.name ),
374 + "if:%s:METRIC", ifr->ifr_name );
375 +
376 + osi_snprintf( record.data, sizeof( record.data ),
377 + "%u", ifr->ifr_metric );
378 +
379 + send_scan_data( scanner, (SCAN_RECORD *)&record );
380 + }
381 + }
382 +
383 + close(sockfd);
384 +}
385 +
386 +void mod_if( SCANNER *scanner )
387 +{
388 +#if defined(SYSTEM_LINUX)
389 + process_if_unix( scanner );
390 +#endif
391 +
392 +}