Skip to content

Commit

Permalink
Merge branch 'ossec:master' into master
Browse files Browse the repository at this point in the history
  • Loading branch information
@Tylerlhess
Tylerlhess authored Jan 13, 2025
2 parents f2b6968 + a282687 commit b17e9a7
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 61 deletions.
26 changes: 25 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,39 @@

Dan Parriott

Scott R. Shinn (http://www.atomicorp.com)
Scott R. Shinn (https://www.atomicorp.com)

**Contributors on this release**

- @1stmile-sysEngineer
- @atomicturtle
- @ddpbsd
- @g3rhard
- @pwntester
- @ngarratt
- @staskysel
- @XALM1337X

**Release Notes**

Update to authd to enforce chrooting, and privilege separation. The authd daemon will by default run as the ossec user. Adds support for AIX 7.x on power architecture (8/9/10).


**General**

- @ddpbsd - [PR 1874](https://github.com/ossec/ossec-hids/pull/1874) - pcre2 fix for windows1 decoders
- @g3rhard - [PR 1939](https://github.com/ossec/ossec-hids/pull/1939) - fix for AppArmor rules (added 5100 rule as parent)
- @ngarratt - [PR 1958](https://github.com/ossec/ossec-hids/pull/1958) - Support for AIX 7
- @ddpbsd - [PR 2062](https://github.com/ossec/ossec-hids/pull/2062) - Fix for issue #2020, False positive "Trojaned version of file '/bin/diff' detected" on Archlinux
- @staskysel - [PR 2064](https://github.com/ossec/ossec-hids/pull/2064) - Fix overwriting an agent counter with sender counter during updating keys
- @pwntester - [PR 2070](https://github.com/ossec/ossec-hids/pull/2070) - Add CodeQL wofkflow
- @1stmile-sysEngineer, @ddpbsd - [PR 2084](https://github.com/ossec/ossec-hids/pull/2084) Update for 1stmile rootkit detection
- @XALM1337X - [PR 2092](https://github.com/ossec/ossec-hids/pull/2092) Fix for CVE-2020-8446
- @XALM1337X - [PR 2094](https://github.com/ossec/ossec-hids/pull/2094) Fix for CVE-2020-8445
- @atomicturtle - [PR 2143](https://github.com/ossec/ossec-hids/pull/2143) Enforce chroot and privilege separation for the authd daemon




**OSSEC changelog (3.7.0) <[email protected]>**

Expand Down
2 changes: 1 addition & 1 deletion src/addagent/validate.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ char *OS_AddNewAgent(const char *name, const char *ip, const char *id)
}

char authentication_file[2048 + 1];
snprintf(authentication_file, 2048, "%s%s", DEFAULTDIR, AUTH_FILE);
snprintf(authentication_file, 2048, "%s", AUTH_FILE);

fp = fopen(authentication_file, "a");
if (!fp) {
Expand Down
130 changes: 71 additions & 59 deletions src/os_auth/main-server.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,18 +22,6 @@
*
*/

#ifndef LIBOPENSSL_ENABLED

#include <stdlib.h>
#include <stdio.h>
int main()
{
printf("ERROR: Not compiled. Missing OpenSSL support.\n");
exit(0);
}

#else

#include <sys/wait.h>
#include "auth.h"
#include "os_crypto/md5/md5_op.h"
Expand Down Expand Up @@ -161,11 +149,13 @@ int main(int argc, char **argv)
int c = 0, test_config = 0, use_ip_address = 0, pid = 0, status, i = 0, active_processes = 0;
int use_pass = 1;
int run_foreground = 0;
gid_t uid;
gid_t gid;
int client_sock = 0, sock = 0, portnum, ret = 0;
char *port = DEFAULT_PORT;
char *ciphers = DEFAULT_CIPHERS;
const char *dir = DEFAULTDIR;
const char *user = USER;
const char *group = GROUPGLOBAL;
const char *server_cert = NULL;
const char *server_key = NULL;
Expand All @@ -191,7 +181,7 @@ int main(int argc, char **argv)
/* Set the name */
OS_SetName(ARGV0);

while ((c = getopt(argc, argv, "Vdhtfig:D:m:p:c:v:x:k:n")) != -1) {
while ((c = getopt(argc, argv, "Vdhtfiu:g:D:m:p:c:v:x:k:n")) != -1) {
switch (c) {
case 'V':
print_version();
Expand All @@ -205,6 +195,12 @@ int main(int argc, char **argv)
case 'i':
use_ip_address = 1;
break;
case 'u':
if (!optarg) {
ErrorExit("%s: -u needs an argument", ARGV0);
}
user = optarg;
break;
case 'g':
if (!optarg) {
ErrorExit("%s: -g needs an argument", ARGV0);
Expand Down Expand Up @@ -266,56 +262,64 @@ int main(int argc, char **argv)
}
}

/* Start daemon -- NB: need to double fork and setsid */
debug1(STARTED_MSG, ARGV0);
if (chdir(dir) == -1) {
ErrorExit(CHDIR_ERROR, ARGV0, dir, errno, strerror(errno));
}

/* Exit here if test config is set */
if (test_config) {
exit(0);
}


/* Check if the user/group given are valid */
uid = Privsep_GetUser(user);
gid = Privsep_GetGroup(group);
if (gid == (gid_t) - 1) {
ErrorExit(USER_ERROR, ARGV0, "", group);
if (uid == (uid_t) - 1 || gid == (gid_t) - 1) {
ErrorExit(USER_ERROR, ARGV0, user, group);
}


if (!run_foreground) {
nowDaemon();
goDaemon();
}

/* Create PID files */
if (CreatePID(ARGV0, getpid()) < 0) {
ErrorExit(PID_ERROR, ARGV0);
}

/* Exit here if test config is set */
if (test_config) {
exit(0);
}

/* Privilege separation */
if (Privsep_SetGroup(gid) < 0) {
ErrorExit(SETGID_ERROR, ARGV0, group, errno, strerror(errno));
}

/* chroot -- TODO: this isn't a chroot. Should also close
* unneeded open file descriptors (like stdin/stdout)
*/
if (chdir(dir) == -1) {
ErrorExit(CHDIR_ERROR, ARGV0, dir, errno, strerror(errno));
}

/* Signal manipulation */
StartSIG(ARGV0);


/* Create PID files */
if (CreatePID(ARGV0, getpid()) < 0) {
ErrorExit(PID_ERROR, ARGV0);
ErrorExit(PID_ERROR, ARGV0);
}

atexit(cleanup);

/* Start up message */
verbose(STARTUP_MSG, ARGV0, (int)getpid());


/* load keys */
fp = fopen(KEYSFILE_PATH, "a");
if (!fp) {
merror("%s: ERROR: Unable to open %s (key file)", ARGV0, KEYSFILE_PATH);
exit(1);
}
fclose(fp);

/* Set ownership to ossec user and group */
if (chown(KEYSFILE_PATH, uid, gid) < 0) {
merror("%s: ERROR: Unable to set ownership of %s to %d:%d (%s)", ARGV0, KEYSFILE_PATH, uid, gid, strerror(errno));
exit(1);
}

/* Set permissions to read/write for owner, read for group */
if (chmod(KEYSFILE_PATH, 0640) < 0) {
merror("%s: ERROR: Unable to set permissions of %s to 0640 (%s)", ARGV0, KEYSFILE_PATH, strerror(errno));
exit(1);
}

if (use_pass) {

/* Checking if there is a custom password file */
Expand Down Expand Up @@ -345,16 +349,12 @@ int main(int argc, char **argv)
verbose("Accepting connections. No password required (not recommended)");
}

/* Getting SSL cert. */

fp = fopen(KEYSFILE_PATH, "a");
if (!fp) {
merror("%s: ERROR: Unable to open %s (key file)", ARGV0, KEYSFILE_PATH);
exit(1);
}
fclose(fp);
/* Setup random */
srandom_init();

/* Start SSL */
/* Getting SSL cert. */
ctx = os_ssl_keys(1, dir, ciphers, server_cert, server_key, ca_cert);
if (!ctx) {
merror("%s: ERROR: SSL error. Exiting.", ARGV0);
Expand All @@ -368,22 +368,35 @@ int main(int argc, char **argv)
exit(1);
}

/* initialize select() save area */
fdsave = netinfo->fdset;
fdmax = netinfo->fdmax; /* value preset to max fd + 1 */
/* Privilege separation */
if (Privsep_SetGroup(gid) < 0) {
ErrorExit(SETGID_ERROR, ARGV0, group, errno, strerror(errno));
}

debug1("%s: DEBUG: Going into listening mode.", ARGV0);
/* Chroot to the specified directory */
if (Privsep_Chroot(dir) < 0) {
ErrorExit(CHROOT_ERROR, ARGV0, dir, errno, strerror(errno));
}

/* Setup random */
srandom_init();
if (Privsep_SetUser(uid) < 0) {
ErrorExit(SETUID_ERROR, ARGV0, user, errno, strerror(errno));
}

/* Chroot */
/*
if (Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR, ARGV0, dir, errno, strerror(errno));

/* Log that we are now in the chrooted environment */
nowChroot();
*/

/* Change working directory to / within the chroot */
if (chdir("/") < 0) {
ErrorExit(CHDIR_ERROR, ARGV0, "/", errno, strerror(errno));
}


/* initialize select() save area */
fdsave = netinfo->fdset;
fdmax = netinfo->fdmax; /* value preset to max fd + 1 */

debug1("%s: DEBUG: Going into listening mode.", ARGV0);

while (1) {
/* No need to completely pin the cpu, 100ms should be fast enough */
Expand Down Expand Up @@ -598,4 +611,3 @@ int main(int argc, char **argv)
static void cleanup() {
DeletePID(ARGV0);
}
#endif /* LIBOPENSSL_ENABLED */

0 comments on commit b17e9a7

Please sign in to comment.