[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-cvs] ossec-hids: setup-shared.c (NEW) setup-shared.h (NEW) setup-syscheck.c (NEW) make.bat (HEAD) ossec-installer.nsi (HEAD) ossec.conf (HEAD) setup-iis.c (HEAD) setup-win.c (HEAD) win-files.txt (HEAD) [dcid]
Module name: ossec-hids
Changes by: dcid 07/09/20 01:06:02
Modified files:
make.bat ossec-installer.nsi ossec.conf setup-iis.c setup-win.c
win-files.txt
Added files:
setup-shared.c setup-shared.h setup-syscheck.c
Log message:
Description: Lots of change here.
1- Fixed and re-organized the policy monitor code. Added support for Unix.
2- Improved Windows UI and install options.
3- Some fixes for the XML lib (old code being reorganized too).
Reviewed by: dcid
Bug:
--- NEW FILE: setup-shared.c ---
/* @(#) $Id: setup-shared.c,v 1.1 2007/09/20 04:06:02 dcid Exp $ */
/* Copyright (C) 2006,2007 Daniel B. Cid <dcid@xxxxxxxxx>
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <dirent.h>
#include <time.h>
#include <windows.h>
#include "os_regex/os_regex.h"
#define OSSECCONF "ossec.conf"
#define OS_MAXSTR 1024
/* Checks if a file exist. */
int fileexist(char *file)
{
FILE *fp;
/* Opening file */
fp = fopen(file, "r");
if(!fp)
return(0);
fclose(fp);
return(1);
}
/* Grep for a string in a file. */
int dogrep(char *file, char *str)
{
char line[OS_MAXSTR +1];
FILE *fp;
/* Opening file */
fp = fopen(file, "r");
if(!fp)
return(0);
/* Clearing memory */
memset(line, '\0', OS_MAXSTR +1);
/* Reading file and looking for str */
while(fgets(line, OS_MAXSTR, fp) != NULL)
{
if(OS_Match(str, line))
{
fclose(fp);
return(1);
}
}
fclose(fp);
return(0);
}
/* Check if dir exists */
int direxist(char *dir)
{
DIR *dp;
/* Opening dir */
dp = opendir(dir);
if(dp == NULL)
return(0);
closedir(dp);
return(1);
}
/* Get Windows main directory */
void get_win_dir(char *file, int f_size)
{
ExpandEnvironmentStrings("%WINDIR%", file, f_size);
if(!direxist(file))
{
strncpy(file, "C:\\WINDOWS", f_size);
}
}
/* EOF */
--- NEW FILE: setup-shared.h ---
/* @(#) $Id: setup-shared.h,v 1.1 2007/09/20 04:06:02 dcid Exp $ */
/* Copyright (C) 2006,2007 Daniel B. Cid <dcid@xxxxxxxxx>
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <dirent.h>
#include <time.h>
#include <windows.h>
#include "os_regex/os_regex.h"
#define OSSECCONF "ossec.conf"
#define OSSECDEF "default-ossec.conf"
#define OSSECLAST "ossec.conf.bak"
#define CLIENTKEYS "client.keys"
#define OS_MAXSTR 1024
/* Checks if a file exist. */
int fileexist(char *file);
/* Grep for a string in a file. */
int dogrep(char *file, char *str);
/* Check if dir exists */
int direxist(char *dir);
/* Get Windows main directory */
void get_win_dir(char *file, int f_size);
/* EOF */
--- NEW FILE: setup-syscheck.c ---
/* @(#) $Id: setup-syscheck.c,v 1.1 2007/09/20 04:06:02 dcid Exp $ */
/* Copyright (C) 2006,2007 Daniel B. Cid <dcid@xxxxxxxxx>
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*/
#include "setup-shared.h"
#include "os_xml/os_xml.h"
#define OSSEC_CONFIG_TMP ".tmp.ossec.conf"
/* Enable Syscheck.*/
int main(int argc, char **argv)
{
char *status;
char *(xml_syscheck_status[])={"ossec_config","syscheck","disabled", NULL};
if(argc < 3)
{
printf("%s: Invalid syntax.\n", argv[0]);
printf("Try: '%s <dir> [enable|disable]'\n\n", argv[0]);
return(0);
}
/* Checking for directory. */
if(chdir(argv[1]) != 0)
{
printf("%s: Invalid directory: '%s'.\n", argv[0], argv[1]);
return(0);
}
/* Checking if ossec was installed already */
if(!fileexist(OSSECCONF))
{
printf("%s: OSSEC not installed yet. Exiting.\n", argv[0]);
return(0);
}
/* Checking status. */
if(strcmp(argv[2],"enable") == 0)
{
status = "no";
}
else
{
status = "yes";
}
/* Writing to the XML. */
if(OS_WriteXML(OSSECCONF, OSSEC_CONFIG_TMP, xml_syscheck_status,
NULL, "no", status, 0) != 0)
{
printf("%s: Error writing to the Config file. Exiting.\n", argv[0]);
return(0);
}
/* Renaming config files */
unlink(OSSECLAST);
rename(OSSECCONF, OSSECLAST);
rename(OSSEC_CONFIG_TMP, OSSECCONF);
return(0);
}
/* EOF */
Index: make.bat
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/win32/make.bat,v
diff -u -r1.19 -r1.20
--- make.bat 21 Jul 2007 02:53:21 -0000 1.19
+++ make.bat 20 Sep 2007 04:06:01 -0000 1.20
@@ -4,7 +4,8 @@
"C:\MinGW\bin\gcc.exe" -o "ossec-agent" -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DOSSECHIDS icon.o os_regex/*.c os_net/*.c os_xml/*.c zlib-1.2.3/*.c config/*.c shared/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/sha1/*.c os_crypto/shared/*.c rootcheck/*.c *.c -Iheaders/ -I./ -lwsock32
"C:\MinGW\bin\gcc.exe" -o "ossec-rootcheck" -Wall -DARGV0=\"ossec-rootcheck\" -DCLIENT -DWIN32 icon.o os_regex/*.c os_net/*.c os_xml/*.c config/*.c shared/*.c win_service.c rootcheck/*.c -Iheaders/ -I./ -lwsock32
"C:\MinGW\bin\gcc.exe" -o "manage_agents" -Wall -DARGV0=\"ossec-agent\" -DCLIENT -DWIN32 -DMA os_regex/*.c zlib-1.2.3/*.c os_zlib.c shared/*.c os_crypto/blowfish/*.c os_crypto/md5/*.c os_crypto/shared/*.c addagent/*.c -Iheaders/ -I./ -lwsock32
-"C:\MinGW\bin\gcc.exe" -o setup-windows -Wall os_regex/*.c setup/setup-win.c -I./
+"C:\MinGW\bin\gcc.exe" -o setup-windows -Wall os_regex/*.c setup/setup-win.c setup/setup-shared.c -I./
+"C:\MinGW\bin\gcc.exe" -o setup-syscheck -Wall os_regex/*.c os_xml/*.c setup/setup-syscheck.c setup/setup-shared.c -I./ -Iheaders/
"C:\MinGW\bin\gcc.exe" -o service-start -Wall icon.o os_regex/*.c setup/service-start.c -I./
"C:\MinGW\bin\gcc.exe" -o service-stop -Wall os_regex/*.c setup/service-stop.c -I./
"C:\MinGW\bin\gcc.exe" -o setup-iis -Wall os_regex/*.c setup/setup-iis.c -I./
Index: ossec-installer.nsi
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/win32/ossec-installer.nsi,v
diff -u -r1.33 -r1.34
--- ossec-installer.nsi 2 Aug 2007 22:34:43 -0000 1.33
+++ ossec-installer.nsi 20 Sep 2007 04:06:01 -0000 1.34
@@ -6,7 +6,7 @@
;--------------------------------
;General
-!define VERSION "1.3"
+!define VERSION "1.4-BETA"
!define NAME "Ossec HIDS"
!define /date CDATE "%b %d %Y at %H:%M:%S"
@@ -30,8 +30,23 @@
!define MUI_ICON favicon.ico
!define MUI_UNICON ossec-uninstall.ico
!define MUI_WELCOMEPAGE_TEXT "This wizard will guide you through the install of ${Name}.\r\n\r\nClick next to continue."
+
+ ; Page for choosing components.
+ !define MUI_COMPONENTSPAGE_TEXT_TOP "Select the options you want to be executed. Click next to continue."
+
+ ;!define MUI_COMPONENTSPAGE_TEXT_COMPLIST "text complist"
+
+ ;!define MUI_COMPONENTSPAGE_TEXT_INSTTYPE "Select components to install:"
+
+ ;!define MUI_COMPONENTSPAGE_TEXT_DESCRIPTION_TITLE "text abac"
+
+ ;!define MUI_COMPONENTSPAGE_TEXT_DESCRIPTION_INFO "text info oi"
+
+ !define MUI_COMPONENTSPAGE_NODESC
+
!insertmacro MUI_PAGE_WELCOME
!insertmacro MUI_PAGE_LICENSE "LICENSE.txt"
+ !insertmacro MUI_PAGE_COMPONENTS
!insertmacro MUI_PAGE_DIRECTORY
!insertmacro MUI_PAGE_INSTFILES
!insertmacro MUI_PAGE_FINISH
@@ -60,8 +75,10 @@
FunctionEnd
-Section "OSSEC HIDS Windows Agent (required)"
+Section "OSSEC Agent (required)" MainSec
+;Required section.
+SectionIn RO
SetOutPath $INSTDIR
ClearErrors
@@ -114,13 +131,23 @@
; Install in the services
ExecWait '"$INSTDIR\ossec-agent.exe" install-service'
ExecWait '"$INSTDIR\setup-windows.exe" "$INSTDIR"'
-ExecWait '"$INSTDIR\os_win32ui.exe" "$INSTDIR"'
+Exec '"$INSTDIR\os_win32ui.exe" "$INSTDIR"'
SectionEnd
-Section Welcome
+Section "Scan and monitor IIS logs (recommended)" IISLogs
+
+ExecWait '"$INSTDIR\setup-iis.exe" "$INSTDIR"'
SectionEnd
+
+Section "Enable integrity checking (recommended)" IntChecking
+
+ExecWait '"$INSTDIR\setup-syscheck.exe" "$INSTDIR"'
+
+SectionEnd
+
+
Section "Uninstall"
Index: ossec.conf
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/win32/ossec.conf,v
diff -u -r1.17 -r1.18
--- ossec.conf 18 Oct 2006 02:50:54 -0000 1.17
+++ ossec.conf 20 Sep 2007 04:06:01 -0000 1.18
@@ -1,17 +1,28 @@
-<!-- Agent Example Configuration -->
-
-<!-- First, change the server-ip to the IP of your OSSEC HIDS server. -->
-
-<!-- Second, add any extra file that you may want to monitor. -->
+<!-- OSSEC Win32 Agent Configuration.
+ - This file is compost of 3 main sections:
+ - - Client config - Settings to connect to the OSSEC server.
+ - - Localfile - Files/Event logs to monitor.
+ - - syscheck - System file/Registry entries to monitor.
+ -->
+
+<!-- READ ME FIRST. If you are configuring OSSEC for the first time,
+ - try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
+ - to execute it.
+ -
+ - First, change the server-ip from "a.b.c.d" to the real IP of your server.
+ - Second, and optionally, change the settings of the files you want
+ - to monitor. Look at our Manual and FAQ for more information.
+ - Third, start the Agent and enjoy.
+ -->
<ossec_config>
<client>
- <!-- IP address of the Ossec HIDS server -->
+ <!-- IP address of the Ossec HIDS server. -->
<server-ip>a.b.c.d</server-ip>
</client>
- <!-- One entry for each file to monitor -->
+ <!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
@@ -26,5 +37,43 @@
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
+
+ <!-- Rootcheck - Policy monitor config -->
+ <rootcheck>
+ <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
+ <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
+ <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
+ </rootcheck>
+
+ <!-- Syscheck - Integrity Checking config. -->
+ <syscheck>
+
+ <!-- Default frequency, every 18 hours. It doesn't need to be higher
+ - on most systems and one a day should be enough.
+ -->
+ <frequency>64800</frequency>
+
+ <!-- By default it is disabled. In the Install you must choose
+ - to enable it.
+ -->
+ <disabled>yes</disabled>
+
+ <!-- Default files to be monitored - system32 only. -->
+ <directories check_all="yes">%WINDIR%/system32</directories>
+
+ <!-- Windows registry entries to monitor. -->
+ <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
+ <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion</windows_registry>
+ <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry>
+ <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
+ <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>
+ <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>
+ <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
+ <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
+ </syscheck>
+
</ossec_config>
+
+
+<!-- END of Default Configuration. -->
Index: setup-iis.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/win32/setup-iis.c,v
diff -u -r1.12 -r1.13
--- setup-iis.c 18 Oct 2006 02:50:54 -0000 1.12
+++ setup-iis.c 20 Sep 2007 04:06:01 -0000 1.13
@@ -84,30 +84,20 @@
/* Getting Windows directory */
-char *get_win_dir()
+static void get_win_dir(char *file, int f_size)
{
- char *win_dir = "C:\\WINDOWS";
- if(direxist(win_dir))
- {
- return(win_dir);
- }
+ ExpandEnvironmentStrings("%WINDIR%", file, f_size);
- win_dir = "C:\\WINNT";
- if(direxist(win_dir))
+ if(!direxist(file))
{
- return(win_dir);
+ strncpy(file, "C:\\WINDOWS", f_size);
}
-
- /* Default is WINDOWS */
- return("C:\\WINDOWS");
-
}
int config_dir(char *name, char *dir, char *vfile)
{
- int add = 0;
FILE *fp;
if(!direxist(dir))
@@ -128,35 +118,6 @@
" log available.\n", name);
printf("%s: http://www.ossec.net/en/manual.html#iis\n\n";, name);
- printf("%s: Do you still want to add '%s'?\n", name, dir);
- printf("%s: Continue? (y/n):", name);
- while(1)
- {
- char u_buffer[256];
- memset(u_buffer, '\0', 256);
- if((fgets(u_buffer, 254, stdin) != NULL) &&
- (strlen(u_buffer) < 250))
- {
- if((u_buffer[0] == 'y') || (u_buffer[0] == 'Y'))
- {
- add = 1;
- break;
- }
- else if((u_buffer[0] == 'n') || (u_buffer[0] == 'N'))
- {
- add = 0;
- break;
- }
- }
- printf("%s: Continue? (y/n):", name);
- }
-
- if(add == 0)
- {
- printf("%s: Action not taken.\n", name);
- return(1);
- }
-
/* Add iis config config */
fp = fopen(OSSECCONF, "a");
@@ -190,7 +151,6 @@
/* Check if the iis file is present in the config */
int config_iis(char *name, char *file, char *vfile)
{
- int add = 0;
FILE *fp;
if(!fileexist(file))
@@ -208,33 +168,6 @@
}
printf("%s: Adding IIS log file to be monitored: '%s'.\n", name,vfile);
- printf("%s: Continue? (y/n):", name);
- while(1)
- {
- char u_buffer[256];
- memset(u_buffer, '\0', 256);
- if((fgets(u_buffer, 254, stdin) != NULL) &&
- (strlen(u_buffer) < 250))
- {
- if((u_buffer[0] == 'y') || (u_buffer[0] == 'Y'))
- {
- add = 1;
- break;
- }
- else if((u_buffer[0] == 'n') || (u_buffer[0] == 'N'))
- {
- add = 0;
- break;
- }
- }
- printf("%s: Continue? (y/n):", name);
- }
-
- if(add == 0)
- {
- printf("%s: Action not taken.\n", name);
- return(1);
- }
/* Add iis config config */
@@ -270,7 +203,8 @@
time_t tm;
struct tm *p;
- char *win_dir;
+ char win_dir[2048];
+
if(argc >= 2)
{
@@ -302,7 +236,7 @@
/* Getting windows directory */
- win_dir = get_win_dir();
+ get_win_dir(win_dir, sizeof(win_dir) -1);
/* Looking for IIS log files */
@@ -391,7 +325,6 @@
printf("%s: No IIS log added. Look at the link above for more "
"information.\r\n", argv[0]);
}
- system("pause");
return(0);
}
Index: setup-win.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/win32/setup-win.c,v
diff -u -r1.37 -r1.38
--- setup-win.c 14 Sep 2007 02:38:19 -0000 1.37
+++ setup-win.c 20 Sep 2007 04:06:02 -0000 1.38
@@ -5,359 +5,13 @@
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
- * License (version 2) as published by the FSF - Free Software
+ * License (version 3) as published by the FSF - Free Software
* Foundation
*/
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <dirent.h>
-#include <time.h>
-#include <windows.h>
-#include "os_regex/os_regex.h"
+#include "setup-shared.h"
-#define OSSECCONF "ossec.conf"
-#define OSSECDEF "default-ossec.conf"
-#define CLIENTKEYS "client.keys"
-#define OS_MAXSTR 1024
-
-int fileexist(char *file)
-{
- FILE *fp;
-
- /* Opening file */
- fp = fopen(file, "r");
- if(!fp)
- return(0);
-
- fclose(fp);
- return(1);
-}
-
-int dogrep(char *file, char *str)
-{
- char line[OS_MAXSTR +1];
- FILE *fp;
-
- /* Opening file */
- fp = fopen(file, "r");
- if(!fp)
- return(0);
-
- /* Clearing memory */
- memset(line, '\0', OS_MAXSTR +1);
-
- /* Reading file and looking for str */
- while(fgets(line, OS_MAXSTR, fp) != NULL)
- {
- if(OS_Match(str, line))
- {
- fclose(fp);
- return(1);
- }
- }
-
- fclose(fp);
- return(0);
-}
-
-
-/* Check if dir exists */
-int direxist(char *dir)
-{
- DIR *dp;
-
- /* Opening dir */
- dp = opendir(dir);
- if(dp == NULL)
- return(0);
-
- closedir(dp);
- return(1);
-}
-
-
-
-/* Getting Windows directory */
-char *get_win_dir()
-{
- /* Ok, I should be getting %WINDIR% .. no reason to do that in here.
- */
- char *win_dir = "C:\\WINDOWS";
- if(direxist(win_dir))
- {
- return(win_dir);
- }
-
- win_dir = "C:\\WINNT";
- if(direxist(win_dir))
- {
- return(win_dir);
- }
-
- win_dir = "D:\\WINDOWS";
- if(direxist(win_dir))
- {
- return(win_dir);
- }
-
- /* Default is WINDOWS */
- return("C:\\WINDOWS");
-
-}
-
-
-int add_syscheck()
-{
- char *win_dir;
- FILE *fp;
-
- win_dir = get_win_dir();
-
- /* Add syscheck config */
- fp = fopen(OSSECCONF, "a");
- if(!fp)
- return(0);
-
- fprintf(fp,
- "\r\n"
- "<!-- Default syscheck config -->\r\n"
- "<ossec_config>\r\n"
- " <syscheck>\r\n"
- " <frequency>64800</frequency>\r\n"
- " <directories check_all=\"yes\">"
- "%s/system32</directories>\r\n"
- " </syscheck>\r\n"
- "</ossec_config>\r\n", win_dir);
- fclose(fp);
-
- return(0);
-
-}
-
-
-/* Adds the registry checking entries */
-int config_registry()
-{
- int add_reg_ig = 1;
- int add_reg_entries = 1;
- FILE *fp;
-
-
- /* We add here the last entry */
- if(dogrep(OSSECCONF, "MediaCategories</registry_ignore>"))
- {
- add_reg_ig = 0;
- }
-
- /* Registry entries already added */
- if(dogrep(OSSECCONF, "<windows_registry>"))
- {
- add_reg_entries = 0;
- }
-
- /* Nothing to add */
- if((add_reg_ig == 0) && (add_reg_entries == 0))
- {
- return(0);
- }
-
- /* Add syscheck config */
- fp = fopen(OSSECCONF, "a");
- if(!fp)
- return(0);
-
- /* Adding registry */
- if(add_reg_entries)
- {
- fprintf(fp,
- "\r\n\r\n"
- "<!-- Syscheck registry config -->\r\n"
- "<ossec_config>\r\n"
- " <syscheck>\r\n"
- " <windows_registry>%s</windows_registry>\r\n"
- " <windows_registry>%s</windows_registry>\r\n"
- " <windows_registry>%s</windows_registry>\r\n"
- " <windows_registry>%s</windows_registry>\r\n"
- " <windows_registry>%s</windows_registry>\r\n"
- " <windows_registry>%s</windows_registry>\r\n"
- " <windows_registry>%s</windows_registry>\r\n"
- " <windows_registry>%s</windows_registry>\r\n"
- " </syscheck>\r\n"
- "</ossec_config>\r\n",
- "HKEY_LOCAL_MACHINE\\Software\\Classes",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
- "HKEY_LOCAL_MACHINE\\Software\\Policies",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services",
- "HKEY_LOCAL_MACHINE\\Security"
- );
- }
-
- /* Adding ignore entries */
- if(add_reg_ig)
- {
- fprintf(fp,
- "\r\n\r\n"
- "<!-- Syscheck registry ignored entries (too big or change too often) -->\r\n"
- "<ossec_config>\r\n"
- " <syscheck>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore>%s</registry_ignore>\r\n"
- " <registry_ignore type=\"sregex\">\\Enum$</registry_ignore>\r\n"
- " </syscheck>\r\n"
- "</ossec_config>\r\n\r\n",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Prefetcher",
- "HKEY_LOCAL_MACHINE\\Software\\Classes\\Interface",
- "HKEY_LOCAL_MACHINE\\Software\\Classes\\TypeLib",
- "HKEY_LOCAL_MACHINE\\Software\\Classes\\MIME",
- "HKEY_LOCAL_MACHINE\\Software\\Classes\\Software",
- "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID",
- "HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets",
- "HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\DeviceClasses",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Watchdog",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\MediaCategories",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\hivelist",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\ServiceCurrent",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Print",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Eventlog",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\RemoteAccess\\Performance",
- "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpClient"
- );
-
- /*
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\splitter\Enum 190
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A7A3521-B100-4315-BD39-C56990BB5C3F} mobile
- */
- }
-
- fclose(fp);
-
- return(0);
-
-}
-
-
-/* Check is syscheck is present in the config */
-int config_syscheck()
-{
- char *win_dir;
- FILE *fp;
-
-
- /* Add syscheck config */
- fp = fopen(OSSECCONF, "a");
- if(!fp)
- return(0);
-
- /* We will also add rootcheck stuff if not present */
- if(!dogrep(OSSECCONF, "<rootcheck>") && !dogrep(OSSECCONF,"windows_audit"))
- {
- fprintf(fp,
- "\r\n"
- "<!-- Rootcheck config -->\r\n"
- "<ossec_config>\r\n"
- " <rootcheck>\r\n"
- " <windows_audit>./shared/win_audit_rcl.txt</windows_audit>\r\n"
- " <windows_apps>./shared/win_applications_rcl.txt</windows_apps>\r\n"
- " <windows_malware>./shared/win_malware_rcl.txt</windows_malware>\r\n"
- " </rootcheck>\r\n"
- "</ossec_config>\r\n"
- );
-
- }
-
-
- /* We add here the last entry */
- if(dogrep(OSSECCONF, "dllcache</ignore>"))
- {
- fclose(fp);
- return(0);
- }
-
- /* Syscheck not configured, return */
- if(!dogrep(OSSECCONF, "<syscheck>"))
- {
- fclose(fp);
- return(0);
- }
-
-
- win_dir = get_win_dir();
-
- fprintf(fp,
- "\r\n"
- "<!-- Updated syscheck config -->\r\n"
- "<ossec_config>\r\n"
- " <syscheck>\r\n"
- " <frequency>64800</frequency>\r\n"
- " <ignore>%s/System32/LogFiles</ignore>\r\n"
- " <ignore>%s/system32/wbem/Logs</ignore>\r\n"
- " <ignore>%s/Prefetch</ignore>\r\n"
- " <ignore>%s/Debug</ignore>\r\n"
- " <ignore>%s/PCHEALTH/HELPCTR/DataColl</ignore>\r\n"
- " <ignore>%s/SoftwareDistribution</ignore>\r\n"
- " <ignore>%s/Temp</ignore>\r\n"
- " <ignore>%s/SchedLgU.Txt</ignore>\r\n"
- " <ignore>%s/system32/config</ignore>\r\n"
- " <ignore>%s/system32/CatRoot</ignore>\r\n"
- " <ignore>%s/system32/wbem/Repository</ignore>\r\n"
- " <ignore>%s/LastGood.Tmp</ignore>\r\n"
- " <ignore>%s/LastGood</ignore>\r\n"
- " <ignore>%s/Help</ignore>\r\n"
- " <ignore>%s/Fonts</ignore>\r\n"
- " <ignore>%s/PCHEALTH</ignore>\r\n"
- " <ignore>%s/system32/dllcache</ignore>\r\n"
- " <ignore>%s/system32/spool</ignore>\r\n"
- " <ignore type=\"sregex\">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>\r\n"
- " </syscheck>\r\n"
- "</ossec_config>\r\n",
- win_dir, win_dir, win_dir, win_dir, win_dir,
- win_dir, win_dir, win_dir, win_dir, win_dir,
- win_dir, win_dir, win_dir, win_dir, win_dir,
- win_dir, win_dir, win_dir);
-
- fclose(fp);
-
- return(0);
-
-}
/* Setup windows after install */
int main(int argc, char **argv)
@@ -369,13 +23,14 @@
return(0);
}
+ /* Trying to chdir to ossec directory. */
if(chdir(argv[1]) != 0)
{
printf("%s: Invalid directory: '%s'.\n", argv[0], argv[1]);
return(0);
}
- /* Checking if ossec was installed already */
+ /* Checking if ossec was installed already (upgrade) */
if(!fileexist(OSSECCONF))
{
char cmd[OS_MAXSTR +1];
@@ -383,34 +38,6 @@
/* Copy default config to ossec.conf */
snprintf(cmd, OS_MAXSTR, "copy %s %s", OSSECDEF, OSSECCONF);
system(cmd);
-
-
- /* Adding syscheck */
- add_syscheck();
- config_syscheck();
- config_registry();
-
-
- /* Run iis-logs */
- snprintf(cmd, OS_MAXSTR, "setup-iis.exe .");
- system(cmd);
-
- }
-
- /* If it is present, we need to do the upgrade */
- else
- {
- char cmd[OS_MAXSTR +1];
-
-
- /* Look if syscheck is configured, if it is, update it */
- config_registry();
- config_syscheck();
-
-
- /* Run iis-logs here too */
- snprintf(cmd, OS_MAXSTR, "setup-iis.exe .");
- system(cmd);
}
@@ -421,5 +48,9 @@
/* Configure ossec for automatic startup */
system("sc config OssecSvc start= auto");
+
+
+ /* Changing permissions. */
+ system("echo y|cacls . /T /G Administrators:f ");
return(0);
}
Index: win-files.txt
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/win32/win-files.txt,v
diff -u -r1.26 -r1.27
--- win-files.txt 18 Sep 2007 03:09:56 -0000 1.26
+++ win-files.txt 20 Sep 2007 04:06:02 -0000 1.27
@@ -44,6 +44,9 @@
win32/make.bat make.bat
win32/setup-win.c setup/setup-win.c
win32/setup-iis.c setup/setup-iis.c
+win32/setup-shared.c setup/setup-shared.c
+win32/setup-shared.h setup/setup-shared.h
+win32/setup-syscheck.c setup/setup-syscheck.c
win32/add-localfile.c setup/add-localfile.c
win32/ossec-win.conf default-ossec.conf
win32/internal_options-win.conf internal_options.conf
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.