X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=src%2Frootcheck%2Frun_rk_check.c;h=5aefb91637f9fd0c47e2d86f23e04052dee7aff2;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=8ce7b7a0bc273ba29a3d1e894c0e1eb7809e1d13;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/src/rootcheck/run_rk_check.c b/src/rootcheck/run_rk_check.c old mode 100755 new mode 100644 index 8ce7b7a..5aefb91 --- a/src/rootcheck/run_rk_check.c +++ b/src/rootcheck/run_rk_check.c @@ -1,125 +1,93 @@ -/* @(#) $Id: run_rk_check.c,v 1.41 2009/06/24 18:53:07 dcid Exp $ */ - /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public - * License (version 3) as published by the FSF - Free Software + * License (version 2) as published by the FSF - Free Software * Foundation */ - #include "shared.h" #include "rootcheck.h" -/* notify_rk - * Report a problem. - */ -int notify_rk(int rk_type, char *msg) +/* Report a problem */ +int notify_rk(int rk_type, const char *msg) { /* Non-queue notification */ - if(rootcheck.notify != QUEUE) - { - if(rk_type == ALERT_OK) + if (rootcheck.notify != QUEUE) { + if (rk_type == ALERT_OK) { printf("[OK]: %s\n", msg); - else if(rk_type == ALERT_SYSTEM_ERROR) + } else if (rk_type == ALERT_SYSTEM_ERR) { printf("[ERR]: %s\n", msg); - else if(rk_type == ALERT_POLICY_VIOLATION) - printf("[INFO]: %s\n", msg); - else - { + } else if (rk_type == ALERT_POLICY_VIOLATION) { + printf("[INFO]: %s\n", msg); + } else { printf("[FAILED]: %s\n", msg); } printf("\n"); - return(0); + return (0); } - + /* No need to alert on that to the server */ - if(rk_type <= ALERT_SYSTEM_ERROR) - return(0); + if (rk_type <= ALERT_SYSTEM_ERR) { + return (0); + } - #ifdef OSSECHIDS - if(SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) - { +#ifdef OSSECHIDS + /* When running in context of OSSEC-HIDS, send problem to the rootcheck queue */ + if (SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) { merror(QUEUE_SEND, ARGV0); - if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0) - { + if ((rootcheck.queue = StartMQ(DEFAULTQPATH, WRITE)) < 0) { ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH); } - if(SendMSG(rootcheck.queue,msg,ROOTCHECK,ROOTCHECK_MQ) < 0) - { + if (SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) { ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH); } } - #endif +#endif - return(0); -} - - -/* start_rk_daemon - * Start the rootkit daemon variables - */ -void start_rk_daemon() -{ - return; - - if(rootcheck.notify == QUEUE) - { - } + return (0); } - -/* run_rk_check: v0.1 - * Execute the rootkit checks - */ +/* Execute the rootkit checks */ void run_rk_check() { time_t time1; time_t time2; - FILE *fp; OSList *plist; - - #ifndef WIN32 - /* Hard coding basedir */ - int i; + +#ifndef WIN32 + /* On non-Windows, always start at / */ + size_t i; char basedir[] = "/"; /* Removing the last / from basedir */ i = strlen(basedir); - if(i > 0) - { - if(basedir[i-1] == '/') - { - basedir[i-1] = '\0'; + if (i > 0) { + if (basedir[i - 1] == '/') { + basedir[i - 1] = '\0'; } } - #else - - /* Basedir for Windows */ +#else + /* On Windows, always start at C:\ */ char basedir[] = "C:\\"; - - #endif - - - /* Setting basedir */ - if(rootcheck.basedir == NULL) - { + +#endif + + /* Set basedir */ + if (rootcheck.basedir == NULL) { rootcheck.basedir = basedir; } - time1 = time(0); - - /*** Initial message ***/ - if(rootcheck.notify != QUEUE) - { + + /* Initial message */ + if (rootcheck.notify != QUEUE) { printf("\n"); printf("** Starting Rootcheck v0.9 by Daniel B. Cid **\n"); printf("** http://www.ossec.net/en/about.html#dev-team **\n"); @@ -127,261 +95,219 @@ void run_rk_check() printf("Be patient, it may take a few minutes to complete...\n"); printf("\n"); } - - - /* Cleaning the global variables */ + + /* Clean the global variables */ rk_sys_count = 0; rk_sys_file[rk_sys_count] = NULL; rk_sys_name[rk_sys_count] = NULL; - - - /* Sending scan start message */ + /* Send scan start message */ notify_rk(ALERT_POLICY_VIOLATION, "Starting rootcheck scan."); - if(rootcheck.notify == QUEUE) - { + if (rootcheck.notify == QUEUE) { merror("%s: INFO: Starting rootcheck scan.", ARGV0); } - - - /*** First check, look for rootkits ***/ + /* Check for Rootkits */ /* Open rootkit_files and pass the pointer to check_rc_files */ - if(!rootcheck.rootkit_files) - { - #ifndef WIN32 - merror("%s: No rootcheck_files file configured.", ARGV0); - #endif - } - - else - { - fp = fopen(rootcheck.rootkit_files, "r"); - if(!fp) - { - merror("%s: No rootcheck_files file: '%s'",ARGV0, - rootcheck.rootkit_files); - } + if (rootcheck.checks.rc_files) { + if (!rootcheck.rootkit_files) { +#ifndef WIN32 + merror("%s: No rootcheck_files file configured.", ARGV0); +#endif + } else { + fp = fopen(rootcheck.rootkit_files, "r"); + if (!fp) { + merror("%s: No rootcheck_files file: '%s'", ARGV0, + rootcheck.rootkit_files); + } - else - { - check_rc_files(rootcheck.basedir, fp); + else { + check_rc_files(rootcheck.basedir, fp); - fclose(fp); + fclose(fp); + } } } - - - /*** Second check. look for trojan entries in common binaries ***/ - if(!rootcheck.rootkit_trojans) - { - #ifndef WIN32 - merror("%s: No rootcheck_trojans file configured.", ARGV0); - #endif - } - - else - { - fp = fopen(rootcheck.rootkit_trojans, "r"); - if(!fp) - { - merror("%s: No rootcheck_trojans file: '%s'",ARGV0, - rootcheck.rootkit_trojans); - } - - else - { - #ifndef HPUX - check_rc_trojans(rootcheck.basedir, fp); - #endif - - fclose(fp); + /* Check for trojan entries in common binaries */ + if (rootcheck.checks.rc_trojans) { + if (!rootcheck.rootkit_trojans) { +#ifndef WIN32 + merror("%s: No rootcheck_trojans file configured.", ARGV0); +#endif + } else { + fp = fopen(rootcheck.rootkit_trojans, "r"); + if (!fp) { + merror("%s: No rootcheck_trojans file: '%s'", ARGV0, + rootcheck.rootkit_trojans); + } else { +#ifndef HPUX + check_rc_trojans(rootcheck.basedir, fp); +#endif + fclose(fp); + } } } - - - #ifdef WIN32 - - /*** Getting process list ***/ +#ifdef WIN32 + /* Get process list */ plist = os_get_process_list(); - - /*** Windows audit check ***/ - if(!rootcheck.winaudit) - { - merror("%s: No winaudit file configured.", ARGV0); - } - else - { - fp = fopen(rootcheck.winaudit, "r"); - if(!fp) - { - merror("%s: No winaudit file: '%s'",ARGV0, - rootcheck.winaudit); - } - else - { - check_rc_winaudit(fp, plist); - fclose(fp); + /* Windows audit check */ + if (rootcheck.checks.rc_winaudit) { + if (!rootcheck.winaudit) { + merror("%s: No winaudit file configured.", ARGV0); + } else { + fp = fopen(rootcheck.winaudit, "r"); + if (!fp) { + merror("%s: No winaudit file: '%s'", ARGV0, + rootcheck.winaudit); + } else { + check_rc_winaudit(fp, plist); + fclose(fp); + } } } /* Windows malware */ - if(!rootcheck.winmalware) - { - merror("%s: No winmalware file configured.", ARGV0); - } - else - { - fp = fopen(rootcheck.winmalware, "r"); - if(!fp) - { - merror("%s: No winmalware file: '%s'",ARGV0, - rootcheck.winmalware); - } - else - { - check_rc_winmalware(fp, plist); - fclose(fp); + if (rootcheck.checks.rc_winmalware) { + if (!rootcheck.winmalware) { + merror("%s: No winmalware file configured.", ARGV0); + } else { + fp = fopen(rootcheck.winmalware, "r"); + if (!fp) { + merror("%s: No winmalware file: '%s'", ARGV0, + rootcheck.winmalware); + } else { + check_rc_winmalware(fp, plist); + fclose(fp); + } } } - + /* Windows Apps */ - if(!rootcheck.winapps) - { - merror("%s: No winapps file configured.", ARGV0); - } - else - { - fp = fopen(rootcheck.winapps, "r"); - if(!fp) - { - merror("%s: No winapps file: '%s'",ARGV0, - rootcheck.winapps); - } - else - { - check_rc_winapps(fp, plist); - fclose(fp); + if (rootcheck.checks.rc_winapps) { + if (!rootcheck.winapps) { + merror("%s: No winapps file configured.", ARGV0); + } else { + fp = fopen(rootcheck.winapps, "r"); + if (!fp) { + merror("%s: No winapps file: '%s'", ARGV0, + rootcheck.winapps); + } else { + check_rc_winapps(fp, plist); + fclose(fp); + } } } - - /* Freeing process list */ + /* Free the process list */ del_plist((void *)plist); +#else + /* Checks for other non-Windows */ + + /* Unix audit check ***/ + if (rootcheck.checks.rc_unixaudit) { + if (rootcheck.unixaudit) { + /* Get process list */ + plist = os_get_process_list(); + + i = 0; + while (rootcheck.unixaudit[i]) { + fp = fopen(rootcheck.unixaudit[i], "r"); + if (!fp) { + merror("%s: No unixaudit file: '%s'", ARGV0, + rootcheck.unixaudit[i]); + } else { + /* Run unix audit */ + check_rc_unixaudit(fp, plist); + fclose(fp); + } + + i++; + } + /* Free list */ + del_plist(plist); + } + } - /** Checks for other non Windows. **/ - #else - +#endif /* !WIN32 */ + /* Check for files in the /dev filesystem */ + if (rootcheck.checks.rc_dev) { + debug1("%s: DEBUG: Going into check_rc_dev", ARGV0); + check_rc_dev(rootcheck.basedir); + debug1("%s: DEBUG: Exiting check_rc_dev", ARGV0); + } - /*** Unix audit check ***/ - if(rootcheck.unixaudit) - { - /* Getting process list. */ - plist = os_get_process_list(); - - - i = 0; - while(rootcheck.unixaudit[i]) - { - fp = fopen(rootcheck.unixaudit[i], "r"); - if(!fp) - { - merror("%s: No unixaudit file: '%s'",ARGV0, - rootcheck.unixaudit[i]); - } - else - { - /* Running unix audit. */ - check_rc_unixaudit(fp, plist); + /* Scan the whole system for additional issues */ + if (rootcheck.checks.rc_sys) { + debug1("%s: DEBUG: Going into check_rc_sys", ARGV0); + check_rc_sys(rootcheck.basedir); + debug1("%s: DEBUG: Exiting check_rc_sys", ARGV0); + } - fclose(fp); - } + /* Check processes */ + if (rootcheck.checks.rc_pids) { + debug1("%s: DEBUG: Going into check_rc_pids", ARGV0); + check_rc_pids(); + debug1("%s: DEBUG: Exiting check_rc_pids", ARGV0); + } - i++; - } + /* Check all ports */ + if (rootcheck.checks.rc_ports) { + debug1("%s: DEBUG: Going into check_rc_ports", ARGV0); + check_rc_ports(); + debug1("%s: DEBUG: Exiting check_rc_ports", ARGV0); + /* Check open ports */ + debug1("%s: DEBUG: Going into check_open_ports", ARGV0); + check_open_ports(); + debug1("%s: DEBUG: Exiting check_open_ports", ARGV0); + } - /* Freeing list */ - del_plist((void *)plist); + /* Check interfaces */ + if (rootcheck.checks.rc_if) { + debug1("%s: DEBUG: Going into check_rc_if", ARGV0); + check_rc_if(); + debug1("%s: DEBUG: Exiting check_rc_if", ARGV0); } - - #endif - - - /*** Third check, looking for files on the /dev ***/ - debug1("%s: DEBUG: Going into check_rc_dev", ARGV0); - check_rc_dev(rootcheck.basedir); - - /*** Fourth check, scan the whole system looking for additional issues */ - debug1("%s: DEBUG: Going into check_rc_sys", ARGV0); - check_rc_sys(rootcheck.basedir); - - /*** Process checking ***/ - debug1("%s: DEBUG: Going into check_rc_pids", ARGV0); - check_rc_pids(); - - /*** Check all the ports ***/ - debug1("%s: DEBUG: Going into check_rc_ports", ARGV0); - check_rc_ports(); - - /*** Check open ports ***/ - debug1("%s: DEBUG: Going into check_open_ports", ARGV0); - check_open_ports(); - - /*** Check interfaces ***/ - debug1("%s: DEBUG: Going into check_rc_if", ARGV0); - check_rc_if(); - - - debug1("%s: DEBUG: Completed with all checks.", ARGV0); - - - /* Cleaning the global memory */ + debug1("%s: DEBUG: Completed with all checks.", ARGV0); + + /* Clean the global memory */ { int li; - for(li = 0;li <= rk_sys_count; li++) - { - if(!rk_sys_file[li] || - !rk_sys_name[li]) - break; + for (li = 0; li <= rk_sys_count; li++) { + if (!rk_sys_file[li] || + !rk_sys_name[li]) { + break; + } free(rk_sys_file[li]); free(rk_sys_name[li]); } } - /*** Final message ***/ + /* Final message */ time2 = time(0); - - if(rootcheck.notify != QUEUE) - { + + if (rootcheck.notify != QUEUE) { printf("\n"); printf("- Scan completed in %d seconds.\n\n", (int)(time2 - time1)); - } - else - { + } else { sleep(5); } - - /* Sending scan ending message */ + /* Send scan ending message */ notify_rk(ALERT_POLICY_VIOLATION, "Ending rootcheck scan."); - if(rootcheck.notify == QUEUE) - { + if (rootcheck.notify == QUEUE) { merror("%s: INFO: Ending rootcheck scan.", ARGV0); } - - - debug1("%s: DEBUG: Leaving run_rk_check",ARGV0); + + debug1("%s: DEBUG: Leaving run_rk_check", ARGV0); return; } - -/* EOF */