1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
14 #include "config/rootcheck-config.h"
15 extern rkconfig rootcheck;
21 /* Maximum files to search on the whole system */
22 #define MAX_RK_SYS 512
26 #define ALERT_SYSTEM_ERR 1
27 #define ALERT_SYSTEM_CRIT 2
28 #define ALERT_ROOTKIT_FOUND 3
29 #define ALERT_POLICY_VIOLATION 4
31 #define ROOTCHECK "rootcheck"
33 /* Default to 10 hours */
34 #define ROOTCHECK_WAIT 72000
38 /* Check if file is present on dir */
39 int isfile_ondir(const char *file, const char *dir);
41 int rk_check_file(char *file, char *pattern);
43 int rk_check_dir(const char *dir, const char *file, char *pattern);
45 /* Check if pattern is present on string */
46 int pt_matches(const char *str, char *pattern);
48 /* Check if the patterns is made up completely of negate matches */
49 int pt_check_negate(const char *pattern);
51 /* Check if a file exist (using stat, fopen and opendir) */
52 int is_file(char *file_name);
54 /* Check if an entry is in the registry */
55 int is_registry(char *entry_name, char *reg_option, char *reg_value);
57 /* Read cl configuration file */
58 int rkcl_get_entry(FILE *fp, const char *msg, OSList *p_list);
60 /* Normalize a string, removing white spaces and tabs
61 * from the beginning and the end of it.
63 char *normalize_string(char *str);
65 /* Check if regex is present on the file.
66 * Similar to `strings file | grep -r regex`
68 int os_string(char *file, char *regex);
70 /* Check for NTFS ADS (Windows only) */
71 int os_check_ads(const char *full_path);
73 /* Get list of processes */
74 OSList *os_get_process_list(void);
76 /* Check if a process is running */
77 int is_process(char *value, OSList *p_list);
79 /* Delete the process list */
80 int del_plist(OSList *p_list);
82 /* Used to report messages */
83 int notify_rk(int rk_type, const char *msg);
85 /* Start the rootcheck externally */
86 int rootcheck_init(int test_config);
88 /* run_rk_check: checks the integrity of the files against the
91 void run_rk_check(void);
93 /*** Plugins prototypes ***/
94 void check_rc_files(const char *basedir, FILE *fp);
95 void check_rc_trojans(const char *basedir, FILE *fp);
96 void check_rc_unixaudit(FILE *fp, OSList *p_list);
97 void check_rc_winaudit(FILE *fp, OSList *p_list);
98 void check_rc_winmalware(FILE *fp, OSList *p_list);
99 void check_rc_winapps(FILE *fp, OSList *p_list);
100 void check_rc_dev(const char *basedir);
101 void check_rc_sys(const char *basedir);
102 void check_rc_pids(void);
104 /* Verify if "pid" is in the proc directory */
105 int check_rc_readproc(int pid);
107 void check_rc_ports(void);
108 void check_open_ports(void);
109 void check_rc_if(void);
111 int Read_Rootcheck_Config(const char *cfgfile);
113 /* Global variables */
114 extern char **rk_sys_file;
115 extern char **rk_sys_name;
116 extern int rk_sys_count;
119 extern char total_ports_udp[65535 + 1];
120 extern char total_ports_tcp[65535 + 1];
123 typedef struct _Proc_Info {
128 #endif /* __ROOTCHECK_H */