Skip to content

Comments

syscheck: whitelist for files in an sqlite database#1091

Merged
ddpbsd merged 21 commits intoossec:masterfrom
ddpbsd:sqlite_ignore
Dec 25, 2017
Merged

syscheck: whitelist for files in an sqlite database#1091
ddpbsd merged 21 commits intoossec:masterfrom
ddpbsd:sqlite_ignore

Conversation

@ddpbsd
Copy link
Member

@ddpbsd ddpbsd commented Mar 11, 2017
edited by jrossi
Loading

Integrate a patch from Xavier Mertens to ignore MD5s for files in an sqlite database.
https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/

I have only done VERY light testing, so this needs to be tested before merge. For instance, I'm not sure the syscheck db entry gets updated if the file is in the sqlite db. Should it be? Not sure yet.

This change is Reviewable

@jrossi jrossi self-requested a review March 14, 2017 12:43
jrossi
jrossi previously requested changes Mar 14, 2017
View reviewed changes
Copy link
Member

@jrossi jrossi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Outside of the Makefile stuff this should just work. I would think it might make more sense to use this thought out ossec myabe inplace of cdb

src/Makefile Outdated

analysisd/decoders/%-test.o: analysisd/decoders/%.c
${OSSEC_CC} ${OSSEC_CFLAGS} -DTESTRULE -DARGV0=\"ossec-analysisd\" -I./analysisd -I./analysisd/decoders -c $^ -o $@
${OSSEC_CC} ${OSSEC_CFLAGS} -DTESTRULE -DARGV0=\"ossec-analysisd\" -I./analysisd -I./analysisd/decoders -c $^ -lsqlite3 -o $@
Copy link
Member

@jrossi jrossi Mar 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the lib loaded on to each CC line? Should the it not be appended to correct CFLAGS?

Copy link
Member Author

@ddpbsd ddpbsd Mar 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had enough trouble figuring out how to get it working, that I didn't get around to "optimizing." I'll definitely work on this though, thanks!

src/analysisd/decoders/syscheck.c Outdated
return(0);
}
debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5db);
if (!(error = sqlite3_open(Config.md5db, &conn))) {
Copy link
Member

@jrossi jrossi Mar 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be completely wrong here, but open and closing the SQLite db for each operation seams incorrect. SHould it not be done during once?

Copy link
Member Author

@ddpbsd ddpbsd Mar 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pulled the code straight from Xavier, I haven't looked into it much more than that. Definitely something to work on though, thanks!

ddpbsd added 11 commits March 15, 2017 17:20
@ddpbsd ddpbsd dismissed jrossi’s stale review December 25, 2017 21:49

I made the changes, but can't figure out how to "approve" the review or whatever.

@ddpbsd ddpbsd merged commit 3e4a024 into ossec:master Dec 25, 2017
@ddpbsd ddpbsd deleted the sqlite_ignore branch December 26, 2017 15:41
@PSanchezR PSanchezR mentioned this pull request Jan 5, 2018
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrossi jrossi jrossi left review comments

Assignees

No one assigned

Labels

enhancement in progress syscheck/rootcheck

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ddpbsd @jrossi