X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Frootcheck%2Frootcheck.c;h=c4a17d8532a007274bbf0dbcea4900fdcafedcd0;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=38b52f2e724286613340659f7086b431dea3ee0e;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/rootcheck/rootcheck.c b/src/rootcheck/rootcheck.c old mode 100755 new mode 100644 index 38b52f2..c4a17d8 --- a/src/rootcheck/rootcheck.c +++ b/src/rootcheck/rootcheck.c @@ -1,80 +1,70 @@ -/* @(#) $Id: rootcheck.c,v 1.33 2009/07/23 19:31:35 dcid Exp $ */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ - + /* - * Rootcheck v 0.3 + * Rootcheck * Copyright (C) 2003 Daniel B. Cid * http://www.ossec.net/rootcheck/ - * */ -/* Included from the Rootcheck project */ - - #include "headers/shared.h" - #include "rootcheck.h" +rkconfig rootcheck; +char **rk_sys_file; +char **rk_sys_name; +int rk_sys_count; +char total_ports_udp[65535 + 1]; +char total_ports_tcp[65535 + 1]; + #ifndef ARGV0 #define ARGV0 "rootcheck" #endif - - -/** Prototypes **/ -/* Read the new XML config */ -int Read_Rootcheck_Config(char * cfgfile, rkconfig *cfg); - - #ifndef OSSECHIDS -void rootcheck_help() + +/* Print help statement */ +void help_rootcheck() { - printf("\n"); - printf("Rootcheck v0.8 (Mar/12/2008):\n"); - printf("http://www.ossec.net/rootcheck/\n"); - printf("Available options:\n"); - printf("\t\t-h\t This Help message\n"); - printf("\t\t-c Configuration file\n"); - printf("\t\t-d\t Enable debug\n"); - printf("\t\t-D Set the working directory\n"); - printf("\t\t-s\t Scans the whole system\n"); - printf("\t\t-r\t Read all the files for kernel-based detection\n"); - printf("\n"); - exit(0); + print_header(); + print_out(" %s: -[Vhdtsr] [-c config] [-D dir]", ARGV0); + print_out(" -V Version and license message"); + print_out(" -h Print this help message"); + print_out(" -d Execute in debug mode. This parameter"); + print_out(" can be specified multiple times"); + print_out(" to increase the debug level."); + print_out(" -t Test configuration"); + print_out(" -s Scan the whole system"); + print_out(" -r Read all the files for kernel-based detection"); + print_out(" -c Configuration file to use"); + print_out(" -D Directory to chroot into (default: %s)", DEFAULTDIR); + print_out(" "); + exit(1); } -/* main v0.1 - * - */ int main(int argc, char **argv) { - int c; int test_config = 0; + const char *cfg = "./rootcheck.conf"; #else int rootcheck_init(int test_config) { + const char *cfg = DEFAULTCPATH; + +#endif /* OSSECHIDS */ + int c; - -#endif - - #ifdef OSSECHIDS - char *cfg = DEFAULTCPATH; - #else - char *cfg = "./rootcheck.conf"; - #endif - - /* Zeroing the structure */ + + /* Zero the structure, initialize default values */ rootcheck.workdir = NULL; rootcheck.basedir = NULL; rootcheck.unixaudit = NULL; @@ -89,44 +79,62 @@ int rootcheck_init(int test_config) rootcheck.scanall = 0; rootcheck.readall = 0; rootcheck.disabled = 0; + rootcheck.skip_nfs = 0; rootcheck.alert_msg = NULL; rootcheck.time = ROOTCHECK_WAIT; + rootcheck.checks.rc_dev = 1; + rootcheck.checks.rc_files = 1; + rootcheck.checks.rc_if = 1; + rootcheck.checks.rc_pids = 1; + rootcheck.checks.rc_ports = 1; + rootcheck.checks.rc_sys = 1; + rootcheck.checks.rc_trojans = 1; + +#ifdef OSSECHIDS + rootcheck.tsleep = (unsigned int) getDefine_Int("rootcheck", "sleep", 0, 64); +#endif + +#ifdef WIN32 + rootcheck.checks.rc_winaudit = 1; + rootcheck.checks.rc_winmalware = 1; + rootcheck.checks.rc_winapps = 1; +#else + rootcheck.checks.rc_unixaudit = 1; +#endif - /* We store up to 255 alerts in there. */ + /* We store up to 255 alerts in there */ os_calloc(256, sizeof(char *), rootcheck.alert_msg); c = 0; - while(c <= 255) - { + while (c <= 255) { rootcheck.alert_msg[c] = NULL; c++; } - - #ifndef OSSECHIDS +#ifndef OSSECHIDS rootcheck.notify = SYSLOG; rootcheck.daemon = 0; - while((c = getopt(argc, argv, "VstrdhD:c:")) != -1) - { - switch(c) - { + while ((c = getopt(argc, argv, "VstrdhD:c:")) != -1) { + switch (c) { case 'V': print_version(); break; case 'h': - rootcheck_help(); + help_rootcheck(); break; case 'd': nowDebug(); break; case 'D': - if(!optarg) - ErrorExit("%s: -D needs an argument",ARGV0); + if (!optarg) { + ErrorExit("%s: -D needs an argument", ARGV0); + } rootcheck.workdir = optarg; break; case 'c': - if(!optarg) - ErrorExit("%s: -c needs an argument",ARGV0); + if (!optarg) { + ErrorExit("%s: -c needs an argument", ARGV0); + } cfg = optarg; break; case 's': @@ -134,147 +142,114 @@ int rootcheck_init(int test_config) break; case 't': test_config = 1; - break; + break; case 'r': rootcheck.readall = 1; - break; + break; default: - rootcheck_help(); - break; + help_rootcheck(); + break; } - } - - - #ifdef WIN32 - /* Starting Winsock */ +#ifdef WIN32 + /* Start Winsock */ { WSADATA wsaData; - if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) - { + if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) { ErrorExit("%s: WSAStartup() failed", ARGV0); } } - #endif - - - #endif /* OSSECHIDS */ - +#endif /* WIN32 */ - /* Staring message */ - debug1(STARTED_MSG,ARGV0); +#endif /* OSSECHIDS */ + /* Start up message */ + debug1(STARTED_MSG, ARGV0); - /* Checking if the configuration is present */ - if(File_DateofChange(cfg) < 0) - { - merror("%s: Configuration file '%s' not found",ARGV0,cfg); - return(-1); + /* Check if the configuration is present */ + if (File_DateofChange(cfg) < 0) { + merror("%s: Configuration file '%s' not found", ARGV0, cfg); + return (-1); } - - /* Reading configuration --function specified twice (check makefile) */ - if(Read_Rootcheck_Config(cfg, &rootcheck) < 0) - { + /* Read configuration --function specified twice (check makefile) */ + if (Read_Rootcheck_Config(cfg) < 0) { ErrorExit(CONFIG_ERROR, ARGV0, cfg); } - /* If testing config, exit here */ - if(test_config) - return(0); - + if (test_config) { + return (0); + } /* Return 1 disables rootcheck */ - if(rootcheck.disabled == 1) - { + if (rootcheck.disabled == 1) { verbose("%s: Rootcheck disabled. Exiting.", ARGV0); - return(1); + return (1); } - - - /* Checking if Unix audit file is configured. */ - if(!rootcheck.unixaudit) - { - #ifndef WIN32 + + /* Check if Unix audit file is configured */ + if (!rootcheck.unixaudit) { +#ifndef WIN32 log2file("%s: System audit file not configured.", ARGV0); - #endif +#endif } - - - /* Setting default values */ - if(rootcheck.workdir == NULL) - rootcheck.workdir = DEFAULTDIR; + /* Set default values */ + if (rootcheck.workdir == NULL) { + rootcheck.workdir = DEFAULTDIR; + } - #ifdef OSSECHIDS - - +#ifdef OSSECHIDS /* Start up message */ - #ifdef WIN32 +#ifdef WIN32 verbose(STARTUP_MSG, "ossec-rootcheck", getpid()); - #else +#else - /* Connect to the queue if configured to do so */ - if(rootcheck.notify == QUEUE) - { - debug1("%s: Starting queue ...",ARGV0); - - /* Starting the queue. */ - if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0) - { - merror(QUEUE_ERROR,ARGV0,DEFAULTQPATH, strerror(errno)); - + if (rootcheck.notify == QUEUE) { + debug1("%s: Starting queue ...", ARGV0); + + /* Start the queue */ + if ((rootcheck.queue = StartMQ(DEFAULTQPATH, WRITE)) < 0) { + merror(QUEUE_ERROR, ARGV0, DEFAULTQPATH, strerror(errno)); + /* 5 seconds to see if the agent starts */ sleep(5); - if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0) - { - /* more 10 seconds wait.. */ - merror(QUEUE_ERROR,ARGV0,DEFAULTQPATH, strerror(errno)); + if ((rootcheck.queue = StartMQ(DEFAULTQPATH, WRITE)) < 0) { + /* Wait 10 more seconds */ + merror(QUEUE_ERROR, ARGV0, DEFAULTQPATH, strerror(errno)); sleep(10); - if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0) - ErrorExit(QUEUE_FATAL,ARGV0,DEFAULTQPATH); + if ((rootcheck.queue = StartMQ(DEFAULTQPATH, WRITE)) < 0) { + ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH); + } } } } - #endif /* Not win32 */ - - #endif /* ossec hids */ +#endif /* WIN32 */ +#endif /* OSSECHIDS */ - /* Initializing rk list */ - rk_sys_name = calloc(MAX_RK_SYS +2, sizeof(char *)); - rk_sys_file = calloc(MAX_RK_SYS +2, sizeof(char *)); - if(!rk_sys_name || !rk_sys_file) - { - ErrorExit(MEM_ERROR, ARGV0); + /* Initialize rk list */ + rk_sys_name = (char **) calloc(MAX_RK_SYS + 2, sizeof(char *)); + rk_sys_file = (char **) calloc(MAX_RK_SYS + 2, sizeof(char *)); + if (!rk_sys_name || !rk_sys_file) { + ErrorExit(MEM_ERROR, ARGV0, errno, strerror(errno)); } rk_sys_name[0] = NULL; rk_sys_file[0] = NULL; - - #ifndef OSSECHIDS - - #ifndef WIN32 - /* Start the signal handling */ +#ifndef OSSECHIDS +#ifndef WIN32 + /* Start signal handling */ StartSIG(ARGV0); - #endif - - #else - return(0); - - #endif - - - debug1("%s: DEBUG: Running run_rk_check",ARGV0); - run_rk_check(); - - - debug1("%s: DEBUG: Leaving...",ARGV0); +#endif + debug1("%s: DEBUG: Running run_rk_check", ARGV0); + run_rk_check(); - return(0); + debug1("%s: DEBUG: Leaving...", ARGV0); +#endif /* OSSECHIDS */ + return (0); } -/* EOF */