Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for agentd/maild when ipv6 is disabled and/or hostnames are used instead of IPs #1698

Merged
merged 51 commits into from
May 9, 2019
Merged

Fix for agentd/maild when ipv6 is disabled and/or hostnames are used instead of IPs #1698

merged 51 commits into from
May 9, 2019

Conversation

ddpbsd
Copy link
Member

@ddpbsd ddpbsd commented Apr 23, 2019

After a number of networking changes were made to better handle IPv6, some hosts
(linux specifically) seem to have issues with networking. This seems to be more
prevalent on systems where IPv6 has been disabled. The chroot(8) has also added
complications.
One work-around has been to copy the /etc/resolv.conf to ossec/etc which has
helped a number of people, but it doesn't seem to work for everyone.

Proposed solution:
Fork off a second maild/agentd process for DNS lookups. This process would run as
the OSSEC user the original process runs as (ossecm for maild, ossec for agentd
by default). It will not be chrooted.
The 2 processes communicate via a socketpair(2) and the OpenBSD
imsg(3) framework. This is currently being used in
a number of OpenBSD utilities for communicating between processes that require different
privileges.

ossec-agentd:
ossec-agentd will fork off the dns process. When a connection is attempted, it forwards
the information to the dns process. This process will then use OS_ConnectUDP() to attempt
communication with the OSSEC server, just like ossec-agentd did previously. The socket
created for this is then passed back to the original agentd process for use.

ossec-maild:
ossec-maild will fork off the dns process, and periodically fork OS_Sendmail() processes
to send alert emails. This sendmail process would then communicate with the dns process, sending
it the mail->smtpserver. The dns process will perform the getaddrinfo, connect to the server,
and pass the connected socket back to the sendmail process for actually sending the mail.

All of this does add complexity and libevent has been added as a dependency.

Other possible solutions that I did not explore:

  • Remove the chroot(8). This isn't going to happen, it's an important part of the
    privilege separation scheme in use by OSSEC.

  • Static compilation. This doesn't help with the /etc/resolv.conf issue, but
    would help with making sure the processes can perform a getaddrinfo(3) even in the
    chroot (after /etc/resolv.conf is copied to the chroot). Unfortunately, I don't
    think this is possible on Linux due to its support for various things (nss switch
    maybe?). Statically linking against musl might work, but I haven't looked into it.

Tested on:

  • OpenBSD/amd64 (various versions)
  • OpenBSD/arm64 (various versions)
  • CentOS 7.x/amd64
  • OpenSuse 15.0

I'm sure there are bugs, edge cases, and other oddities in the code. It's been running successfully for me,
but I don't have a huge variety of systems in use. I'm also sure there are places that just need to be cleaned
up. Error messages should probably go in src/error_messages/error_messages.h, there's probably some left over
debugging stuff in there, etc.

[ddp@c7-0 ~]$ uname -a
Linux c7-0 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[ddp@c7-0 ~]$ cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)

ddp@suse:~> uname -a
Linux suse 4.12.14-lp150.12.48-default #1 SMP Tue Feb 12 14:01:48 UTC 2019 (268f014) x86_64 x86_64 x86_64 GNU/Linux
ddp@suse:/etc> cat SUSE-brand
openSUSE
VERSION = 15.0

Should fix Issue #1145 and probably others.

ddpbsd and others added 30 commits March 11, 2019 07:10
@ddpbsd
A process to do dns lookups and connects.
d785367 
Be able to fork a process to do dns lookups. This process will not
be chrooted, but will run as the ossec user.
It receives communicates with other daemons via imsg(3) from the
OpenBSD project. A dnslookup is performed, and a connect call is made.
If it succeeds, the fd is sent back to the calling process.
There is probably a lot of debugging stuff in this right now, and
it's very smtp specific. I hope to clean this up later. I also have
not tested this with ipv6 at all.
@ddpbsd
The imsg stuff from OpenBSD via OpenSMTPd
8aaaa25
@ddpbsd
tabs, not spaces
71895d8
@ddpbsd
Initial imsg dns support.
4fd3ba1 
Try using os_dns to do dns lookups for maild.
@ddpbsd
Add os_dns_error struct and change dns_request struct name
38c1576 
dns_request -> os_dns_request to make it less likely to conflict
anywhere.
os_dns_error - Pass more information on dns failures.
@ddpbsd
Add caller to os_dns_request
000c6f4 
Allow the os_dns daemon to know what called it.
@ddpbsd
Fix compilation
e186b8c 
-lutil is necessary on OpenBSD for imsg, and make sure libevent
is linked as well.
@ddpbsd
Fix compilation (on OpenBSD)
2fe50d1 
Untested elsewhere so far.
@ddpbsd
Silence some warnings.
0463961 
lf->mon and lf->hour are strings, if(lf->mon) apparently doesn't work.
Make sure they're present with strnlen.
Also, put some parentheses around some strcmp checks.
@ddpbsd
Clean up some warnings.
023703a
@ddpbsd
Merge branch 'warnings' of github.com:ddpbsd/ossec-hids into os_dns
05b8214
@ddpbsd
Pass the daemon name over to the dns daemon
93179e6
@ddpbsd
Cleanup
e27abf6 
Get rid of some debugging merrors.
Allow the daemon that forks the dns process to set the name of the
process.
@ddpbsd
Cleanup and pass the protocol.
837bd18 
Move some merrors to debugs.
Add the protocol (just "smtp" for now really). Hopefully this will
me use this for something other than maild in the future.
@ddpbsd
More cleanup
2be6412
@ddpbsd
Stick with smtp for now
a159a90 
Not sure why using dnsr.protocol isn't working, but I'll get to that
later.
@ddpbsd
Add an AGENT_REQ imsg type
d7d4533
@ddpbsd
Start to flesh out AGENT_REQ
951ce1e 
I still have to look into how this should be different since it's udp
instead of tcp.
@ddpbsd
Instead of building my own, re-use what we have.
aa2e4bc
@ddpbsd
Start to support os_dns.
c086949 
Much like maild, agentd will fork a process to do dns lookups.
The dns daemon won't fall under the chroot, so there shouldn't be
any issues with shared libraries or resolv.conf not existing in the
chroot.
@ddpbsd
Create a place to store the ibuf.
11693cd
@ddpbsd
Add AGENT_REQ imsg type
5233d38 
An AGENT_REQ message will make os_dns try to connect to the server.
It's using the OS_ConnectUDP stuff that's already done. It should pass
a socket back to agentd for the actual connection.
@ddpbsd
Include imsg.h if compiling for CLIENT.
737a752
@ddpbsd
Add support for os_dns to agentd
342a496
@ddpbsd
ifdef WIN32 -> ifndef WIN32
8496de0 
This is needed everywhere except WIN32. Not my dumbest mistake, but
close. Today at least.
@ddpbsd
Add COMPAT_CFLAGS to a bunch of places.
fba2302 
imsg.h gets included in includes of includes in a lot of places.
@ddpbsd
Need more includes.
6b9fd54
@ddpbsd
Merge branch 'os_dns2' of github.com:ddpbsd/ossec-hids into os_dns2
26bb958
@ddpbsd
Cleanup
23d9ac9 
The return 0 isn't part of the if block, fix indentation and put
braces on the if.
Sprinkle ibufs around, use the right user.
9f19210 
Use the ossec user when CLIENT, ossec when not.
ibufs need to travel.
ddp and others added 21 commits March 21, 2019 12:43
up
75b9ef5
Instead of changing a bunch of things, add a global var.
e45ad49 
This should simplify things a bit, making sure the right bits are used.
Also, make sure the correct fd is attempted to be used in imsg_init.
Don't use a variable when you mean another variable.
12cefc3 
The logic changed a bit at some point, and the code didn't keep up
with the change. I was originally using a_sock for the socket, but
eventually just used agt->sock. Change the code to reflect that logic
change.
This is officially passing messages to the ossec server now.
I think this was another logic error that's been fixed.
0fdf77b 
I need to put an actual error into this though, instead of just
floundering. I'll figure it out eventually.
@ddpbsd
Add a few ifndefs for WIN32
9dd565c
@ddpbsd
COMPAT_CFLAGS => CFLAGS
25288f2
@ddpbsd
Make sure we have EV_READ set
74b9794
@ddpbsd
Add a to do list to the README
db6da4c 
There's still a lot to do before this could be considered passable.
@ddpbsd
Fix some warnings
1d647c8 
Used && instead of &, so fix that.
@ddpbsd
Add a pid file
cfd1619 
I think this will help with killing the process using ossec-control.
@ddpbsd
Adjust the defaults for my testing
a62a770 
Enable PCRE2_SYSTEM, disable JIT, enable DEBUG.
I usually set all of these manually for testing, but got lazy. I'll
try to remember to revert when I submit a PR.
@ddpbsd
oops
4e7d03a
@ddpbsd
Remove the error messages being passed back to daemons from os_dns
a05d48d 
for now. I don't know if they're necessary.
Add a warning to maild to warn on max emails per hour being reached.
@ddpbsd
Merge branch 'master' of github.com:ddpbsd/ossec-hids into os_dns3
5df4e51
@ddpbsd
Copyrights
e6c99a3 
Bump the copyrights on the maild files, add my copyright to os_dns.c
@ddpbsd
I think this should work with multiple servers now.
bb9ca45
@ddpbsd
Remove some debugging
5981b3e
@ddpbsd
More debugging cleanup
754e136
@ddpbsd
This was causing some issues?
a3dbf34
@ddpbsd
Remove my testing customizations.
16b34e0
@ddpbsd
Forgot to install libevent-dev for travis
a92ac68
@atomicturtle atomicturtle merged commit 498a084 into ossec:master May 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ddpbsd @atomicturtle