1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
12 * Copyright (C) 2003 Daniel B. Cid <daniel@underlinux.com.br>
13 * http://www.ossec.net/rootcheck/
16 #include "headers/shared.h"
17 #include "rootcheck.h"
23 char total_ports_udp[65535 + 1];
24 char total_ports_tcp[65535 + 1];
27 #define ARGV0 "rootcheck"
33 /* Print help statement */
37 print_out(" %s: -[Vhdtsr] [-c config] [-D dir]", ARGV0);
38 print_out(" -V Version and license message");
39 print_out(" -h Print this help message");
40 print_out(" -d Execute in debug mode. This parameter");
41 print_out(" can be specified multiple times");
42 print_out(" to increase the debug level.");
43 print_out(" -t Test configuration");
44 print_out(" -s Scan the whole system");
45 print_out(" -r Read all the files for kernel-based detection");
46 print_out(" -c <config> Configuration file to use");
47 print_out(" -D <dir> Directory to chroot into (default: %s)", DEFAULTDIR);
52 int main(int argc, char **argv)
55 const char *cfg = "./rootcheck.conf";
59 int rootcheck_init(int test_config)
61 const char *cfg = DEFAULTCPATH;
63 #endif /* OSSECHIDS */
67 /* Zero the structure, initialize default values */
68 rootcheck.workdir = NULL;
69 rootcheck.basedir = NULL;
70 rootcheck.unixaudit = NULL;
71 rootcheck.ignore = NULL;
72 rootcheck.rootkit_files = NULL;
73 rootcheck.rootkit_trojans = NULL;
74 rootcheck.winaudit = NULL;
75 rootcheck.winmalware = NULL;
76 rootcheck.winapps = NULL;
78 rootcheck.notify = QUEUE;
79 rootcheck.scanall = 0;
80 rootcheck.readall = 0;
81 rootcheck.disabled = 0;
82 rootcheck.skip_nfs = 0;
83 rootcheck.alert_msg = NULL;
84 rootcheck.time = ROOTCHECK_WAIT;
86 rootcheck.checks.rc_dev = 1;
87 rootcheck.checks.rc_files = 1;
88 rootcheck.checks.rc_if = 1;
89 rootcheck.checks.rc_pids = 1;
90 rootcheck.checks.rc_ports = 1;
91 rootcheck.checks.rc_sys = 1;
92 rootcheck.checks.rc_trojans = 1;
95 rootcheck.tsleep = (unsigned int) getDefine_Int("rootcheck", "sleep", 0, 64);
99 rootcheck.checks.rc_winaudit = 1;
100 rootcheck.checks.rc_winmalware = 1;
101 rootcheck.checks.rc_winapps = 1;
103 rootcheck.checks.rc_unixaudit = 1;
106 /* We store up to 255 alerts in there */
107 os_calloc(256, sizeof(char *), rootcheck.alert_msg);
110 rootcheck.alert_msg[c] = NULL;
115 rootcheck.notify = SYSLOG;
116 rootcheck.daemon = 0;
117 while ((c = getopt(argc, argv, "VstrdhD:c:")) != -1) {
130 ErrorExit("%s: -D needs an argument", ARGV0);
132 rootcheck.workdir = optarg;
136 ErrorExit("%s: -c needs an argument", ARGV0);
141 rootcheck.scanall = 1;
147 rootcheck.readall = 1;
158 if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) {
159 ErrorExit("%s: WSAStartup() failed", ARGV0);
164 #endif /* OSSECHIDS */
166 /* Start up message */
167 debug1(STARTED_MSG, ARGV0);
169 /* Check if the configuration is present */
170 if (File_DateofChange(cfg) < 0) {
171 merror("%s: Configuration file '%s' not found", ARGV0, cfg);
175 /* Read configuration --function specified twice (check makefile) */
176 if (Read_Rootcheck_Config(cfg) < 0) {
177 ErrorExit(CONFIG_ERROR, ARGV0, cfg);
180 /* If testing config, exit here */
185 /* Return 1 disables rootcheck */
186 if (rootcheck.disabled == 1) {
187 verbose("%s: Rootcheck disabled. Exiting.", ARGV0);
191 /* Check if Unix audit file is configured */
192 if (!rootcheck.unixaudit) {
194 log2file("%s: System audit file not configured.", ARGV0);
198 /* Set default values */
199 if (rootcheck.workdir == NULL) {
200 rootcheck.workdir = DEFAULTDIR;
204 /* Start up message */
206 verbose(STARTUP_MSG, "ossec-rootcheck", getpid());
209 /* Connect to the queue if configured to do so */
210 if (rootcheck.notify == QUEUE) {
211 debug1("%s: Starting queue ...", ARGV0);
213 /* Start the queue */
214 if ((rootcheck.queue = StartMQ(DEFAULTQPATH, WRITE)) < 0) {
215 merror(QUEUE_ERROR, ARGV0, DEFAULTQPATH, strerror(errno));
217 /* 5 seconds to see if the agent starts */
219 if ((rootcheck.queue = StartMQ(DEFAULTQPATH, WRITE)) < 0) {
220 /* Wait 10 more seconds */
221 merror(QUEUE_ERROR, ARGV0, DEFAULTQPATH, strerror(errno));
223 if ((rootcheck.queue = StartMQ(DEFAULTQPATH, WRITE)) < 0) {
224 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
232 #endif /* OSSECHIDS */
234 /* Initialize rk list */
235 rk_sys_name = (char **) calloc(MAX_RK_SYS + 2, sizeof(char *));
236 rk_sys_file = (char **) calloc(MAX_RK_SYS + 2, sizeof(char *));
237 if (!rk_sys_name || !rk_sys_file) {
238 ErrorExit(MEM_ERROR, ARGV0, errno, strerror(errno));
240 rk_sys_name[0] = NULL;
241 rk_sys_file[0] = NULL;
245 /* Start signal handling */
248 debug1("%s: DEBUG: Running run_rk_check", ARGV0);
251 debug1("%s: DEBUG: Leaving...", ARGV0);
252 #endif /* OSSECHIDS */