[Open-scap] [PATCH 05/17] Implementation of the process probe for Solaris

Marshall Miller mmiller at tresys.com
Wed Jul 13 20:41:43 UTC 2011 

From: Francisco Slavin <fslavin at tresys.com>

---
 src/OVAL/probes/unix/process.c |  152 +++++++++++++++++++++++++++++++++++++++-
 1 files changed, 149 insertions(+), 3 deletions(-)

diff --git a/src/OVAL/probes/unix/process.c b/src/OVAL/probes/unix/process.c
index f490501..c5567c8 100644
--- a/src/OVAL/probes/unix/process.c
+++ b/src/OVAL/probes/unix/process.c
@@ -66,7 +66,6 @@
 #include "probe/entcmp.h"
 #include "alloc.h"
 
-#if defined(__linux__)
 /* Convenience structure for the results being reported */
 struct result_info {
         const char *command;
@@ -80,8 +79,6 @@ struct result_info {
         unsigned user_id;
 };
 
-unsigned long ticks, boot;
-
 static void report_finding(struct result_info *res, probe_ctx *ctx)
 {
         SEXP_t *item;
@@ -108,6 +105,10 @@ static void report_finding(struct result_info *res, probe_ctx *ctx)
         SEXP_free_r(&se_uid_mem);
 }
 
+#if defined(__linux__)
+
+unsigned long ticks, boot;
+
 static void get_boot_time(void)
 {
 	char buf[100];
@@ -332,6 +333,151 @@ int probe_main(probe_ctx *ctx, void *arg)
 
 	return 0;
 }
+#elif defined (__SVR4) && defined (__sun)
+
+#include <procfs.h>
+#include <unistd.h>
+
+static char *convert_time(time_t t, char *tbuf, int tb_size)
+{
+	unsigned d,h,m,s;
+
+	s = t%60;
+	t /= 60;
+	m = t%60;
+	t /=60;
+	h = t%24;
+	t /= 24;
+	d = t;
+	if (d)
+		snprintf(tbuf, tb_size, "%u-%02u:%02u:%02u", d, h, m, s);
+	else
+		snprintf(tbuf, tb_size,	"%02u:%02u:%02u", h, m, s);
+	return tbuf;
+}
+
+static int read_process(SEXP_t *cmd_ent, probe_ctx *ctx)
+{
+	int err = 1;
+	DIR *d;
+	struct dirent *ent;
+
+	d = opendir("/proc");
+	if (d == NULL)
+		return err;
+
+	psinfo_t *psinfo;
+
+	// Scan the directories
+	while (( ent = readdir(d) )) {
+		int fd, len;
+		char buf[336];
+		int pid;
+		unsigned sched_policy;
+		SEXP_t *cmd_sexp;
+
+
+		// Skip non-process dir entries
+		if(*ent->d_name<'0' || *ent->d_name>'9')
+			continue;
+		errno = 0;
+		pid = strtol(ent->d_name, NULL, 10);
+		if (errno || pid == 2) // skip err & kthreads
+			continue;
+
+		// Parse up the stat file for the proc
+		snprintf(buf, 32, "/proc/%d/psinfo", pid);
+		fd = open(buf, O_RDONLY, 0);
+		if (fd < 0)
+			continue;
+		len = read(fd, buf, sizeof buf);
+		close(fd);
+		if (len < 336)
+			continue;
+
+		// The psinfo file contains a psinfo struct; this typecast gets us the struct directly
+		psinfo = (psinfo_t *) buf;
+
+
+		err = 0; // If we get this far, no permission problems
+		_D("Have command: %s\n", psinfo->pr_fname);
+		cmd_sexp = SEXP_string_newf("%s", psinfo->pr_fname);
+		if (probe_entobj_cmp(cmd_ent, cmd_sexp) == OVAL_RESULT_TRUE) {
+			struct result_info r;
+			char tbuf[32], sbuf[32];
+			int tday,tyear;
+			time_t s_time;
+			struct tm *proc, *now;
+			const char *fmt;
+			int fixfmt_year;
+
+			r.scheduling_class = malloc(PRCLSZ);
+			strncpy(r.scheduling_class, (psinfo->pr_lwp).pr_clname, sizeof(r.scheduling_class));
+
+			// Get the start time
+			s_time = time(NULL);
+			now = localtime(&s_time);
+			tyear = now->tm_year;
+			tday = now->tm_yday;
+
+			// Get current time
+			s_time = psinfo->pr_start.tv_sec;
+			proc = localtime(&s_time);
+
+			// Select format based on how long we've been running
+			fixfmt_year = 0;
+			fmt = "%H:%M";
+			if (tday != proc->tm_yday)
+				fmt = "%b%d";
+			if (tyear != proc->tm_year)
+				fmt = "%Y";
+				fixfmt_year = 1;
+			strftime(sbuf, sizeof(sbuf), fmt, proc);
+
+			/* Fixing format from MMMYY to MMM_YY */
+			if (fixfmt_year == 1) {
+				sbuf[6] = '\0';
+				sbuf[5] = sbuf[4];
+				sbuf[4] = sbuf[3];
+				sbuf[3] = '_';
+			}
+
+			r.command = psinfo->pr_fname;
+			r.exec_time = convert_time(psinfo->pr_time.tv_sec, tbuf, sizeof(tbuf));
+			r.pid = psinfo->pr_pid;
+			r.ppid = psinfo->pr_ppid;
+			r.priority = (psinfo->pr_lwp).pr_pri;
+			r.start_time = sbuf;
+			r.tty = psinfo->pr_ttydev;
+			r.user_id = psinfo->pr_euid;
+			report_finding(&r, ctx);
+		}
+		SEXP_free(cmd_sexp);
+	}
+        closedir(d);
+
+	return err;
+}
+
+int probe_main(probe_ctx *ctx, void *arg)
+{
+	SEXP_t *ent;
+
+	ent = probe_obj_getent(probe_ctx_getobject(ctx), "command", 1);
+	if (ent == NULL) {
+		return PROBE_ENOVAL;
+	}
+
+	if (read_process(ent, ctx)) {
+		SEXP_free(ent);
+		return PROBE_EACCESS;
+	}
+
+	SEXP_free(ent);
+
+	return 0;
+}
+
 #else
 int probe_main(probe_ctx *ctx, void *arg)
 {
-- 
1.6.2.5

More information about the Open-scap-list mailing list