wazuh-modules-sca
wazuh中安全配置评估模块主线程执行wm_sca_main最后在wm_sca_start中循环执行,不会返回
// Module main function. It won't return
#ifdef WIN32
DWORD WINAPI wm_sca_main(void *arg) {wm_sca_t *data = (wm_sca_t *)arg;
#else
void * wm_sca_main(wm_sca_t * data) {
#endif// If module is disabled, exitif (data->enabled) {minfo("Module started.");} else {minfo("Module disabled. Exiting.");pthread_exit(NULL);}if (!data->policies || data->policies[0] == NULL) {minfo("No policies defined. Exiting.");pthread_exit(NULL);}data->msg_delay = 1000000 / wm_max_eps;data->summary_delay = 3; /* Seconds to wait for summary sending */data_win = data;/* Reading the internal options */// Default valuesdata->request_db_interval = 300;data->remote_commands = 0;data->commands_timeout = 30;data->request_db_interval = getDefine_Int("sca","request_db_interval", 1, 60) * 60;data->commands_timeout = getDefine_Int("sca", "commands_timeout", 1, 300);
#ifdef CLIENTdata->remote_commands = getDefine_Int("sca", "remote_commands", 0, 1);
#elsedata->remote_commands = 1; // Only for agents
#endif/* Maximum request interval is the scan interval */if(data->request_db_interval > data->scan_config.interval) {data->request_db_interval = data->scan_config.interval;minfo("The request_db_interval option cannot be higher than the scan interval. It will be redefined to that value.");}int i;for(i = 0; data->policies[i]; i++) {if(data->policies[i]->enabled){minfo("Loaded policy '%s'", data->policies[i]->policy_path);} else {minfo("Policy '%s' disabled by configuration.", data->policies[i]->policy_path);}}/* Create Hash for each policy file */for(i = 0; data->policies[i]; i++) {os_realloc(cis_db, (i + 2) * sizeof(OSHash *), cis_db);cis_db[i] = OSHash_Create();if (!cis_db[i]) {merror(LIST_ERROR);pthread_exit(NULL);}OSHash_SetFreeDataPointer(cis_db[i], (void (*)(void *))wm_sca_free_hash_data);/* DB for calculating hash only */os_realloc(cis_db_for_hash, (i + 2) * sizeof(cis_db_hash_info_t), cis_db_for_hash);/* Last summary for each policy */os_realloc(last_summary_json, (i + 2) * sizeof(cJSON *), last_summary_json);last_summary_json[i] = NULL;/* Prepare first ID for each policy file */os_calloc(1,sizeof(cis_db_info_t *),cis_db_for_hash[i].elem);cis_db_for_hash[i].elem[0] = NULL;}/* Create summary hash for each policy file */for(i = 0; data->policies[i]; i++) {os_realloc(last_sha256, (i + 2) * sizeof(char *), last_sha256);os_calloc(1,sizeof(os_sha256),last_sha256[i]);}#ifndef WIN32data->queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);if (data->queue < 0) {merror("Can't connect to queue.");}#endifrequest_queue = queue_init(1024);w_rwlock_init(&dump_rwlock, NULL);#ifndef WIN32w_create_thread(wm_sca_request_thread, data);w_create_thread(wm_sca_dump_db_thread, data);
#elsew_create_thread(NULL,0,(void *)wm_sca_dump_db_thread,data,0,NULL);
#endifwm_sca_start(data);#ifdef WIN32return 0;
#elsereturn NULL;
#endif
}1. 检查模块是否开启,否则退出模块主线程
2. 对于agents模式,remote_commands = 1
3. 配置最大扫描间隔 data->request_db_interval = data->scan_config.interval;
4. 加载每一个policy文件(.yml或者yaml),为每一个policy文件创建一个hash,到data结构指针中cis_db_for_hash[i],与data[i]通过下标对应起来
5. 创建一个写类型的队列data->queue = StartMQ(DEFAULTQUEUE, WRITE, INFINITE_OPENQ_ATTEMPTS);
6. w_create_thread(wm_sca_request_thread, data); 接收扫描请求,检查处理发送到队列中
7. w_create_thread(wm_sca_dump_db_thread, data); 从队列中消费请求,
8. wm_sca_start(data) -> wm_sca_read_files()按照每一个policy进行扫描 -> rules扫描核心函数wm_sca_do_scan() -> wm_sca_read_command()
8.1 wm_sca_read_files()函数读policy监控文件到buffer,将buffer中yaml结构转换为json结构
8.2 检查policy是否满足要求
8.3 设置一个唯一的id为每个扫描
8.4 检查文件完整性是否改变,改变则清理
8.5 调用wm_sca_do_scan()做扫描
8.6 发送扫描汇总信息wm_sca_send_summary()
9. wm_sca_do_scan()
char *value = wm_sca_get_value(rule_cp_ref, &type);得到不同的type 例如:WM_SCA_TYPE_FILE,WM_SCA_TYPE_COMMAND,WM_SCA_TYPE_DIR等做不同的处理
已, 以WM_SCA_TYPE_COMMAND类型为例将调用wm_sca_read_command()处理
10. wm_sca_read_command()
static int wm_sca_read_command(char * command,char * pattern,wm_sca_t * data,char ** reason,w_expression_t * regex_engine)
{if (command == NULL) {mdebug1("No Command specified Returning.");return RETURN_NOT_FOUND;}if (!pattern) {mdebug1("No pattern given. Returning FOUND.");return RETURN_FOUND;}mdebug1("Executing command '%s', and testing output with pattern '%s'", command, pattern);char *cmd_output = NULL;int result_code;switch (wm_exec(command, &cmd_output, &result_code, data->commands_timeout, NULL)) {case 0:mdebug1("Command '%s' returned code %d", command, result_code);break;case WM_ERROR_TIMEOUT:os_free(cmd_output);mdebug1("Timeout overtaken running command '%s'", command);if (*reason == NULL) {os_malloc(snprintf(NULL, 0, "Timeout overtaken running command '%s'", command) + 1, *reason);sprintf(*reason, "Timeout overtaken running command '%s'", command);}os_free(cmd_output);return RETURN_INVALID;default:if (result_code == EXECVE_ERROR) {mdebug1("Invalid path or wrong permissions to run command '%s'", command);if (*reason == NULL) {os_malloc(snprintf(NULL, 0, "Invalid path or wrong permissions to run command '%s'", command) + 1, *reason);sprintf(*reason, "Invalid path or wrong permissions to run command '%s'", command);}} else {mdebug1("Failed to run command '%s'. Returned code %d", command, result_code);if (*reason == NULL) {os_malloc(snprintf(NULL, 0, "Failed to run command '%s'. Returned code %d", command, result_code) + 1, *reason);sprintf(*reason, "Failed to run command '%s'. Returned code %d", command, result_code);}}return RETURN_INVALID;}if(!cmd_output) {mdebug2("Command yielded no output. Returning.");return RETURN_NOT_FOUND;}char **output_line;output_line = OS_StrBreak('\n', cmd_output, 256);if(!output_line) {mdebug1("Command output could not be processed. Output dump:\n%s", cmd_output);os_free(cmd_output);return RETURN_NOT_FOUND;}os_free(cmd_output);int i;int result = RETURN_NOT_FOUND;for (i=0; output_line[i] != NULL; i++) {char *buf = output_line[i];os_trimcrlf(buf);result = wm_sca_pattern_matches(buf, pattern, reason, regex_engine);if (result == RETURN_FOUND){break;}}free_strarray(output_line);mdebug2("Result for (%s)(%s) -> %d", pattern, command, result);return result;
}10. wm_sca_send_policies_scanned(data);发送管理端数据库中被清理的policy