1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
11 #include "rootcheck.h"
14 /* Read the file pointer specified (rootkit_files)
15 * and check if the configured file is there
17 void check_rc_files(const char *basedir, FILE *fp)
19 char buf[OS_SIZE_1024 + 1];
20 char file_path[OS_SIZE_1024 + 1];
29 debug1("%s: DEBUG: Starting on check_rc_files", ARGV0);
31 while (fgets(buf, OS_SIZE_1024, fp) != NULL) {
34 /* Remove newline at the end */
35 nbuf = strchr(buf, '\n');
40 /* Assign buf to be used */
43 /* Skip comments and blank lines */
44 while (*nbuf != '\0') {
45 if (*nbuf == ' ' || *nbuf == '\t') {
48 } else if (*nbuf == '#') {
59 /* File now may be valid */
63 /* Get the file and the rootkit name */
64 while (*nbuf != '\0') {
65 if (*nbuf == ' ' || *nbuf == '\t') {
66 /* Set the limit for the file */
79 /* Some ugly code to remove spaces and \t */
80 while (*nbuf != '\0') {
83 if (*nbuf == ' ' || *nbuf == '\t') {
89 } else if (*nbuf == ' ' || *nbuf == '\t') {
97 /* Get the link (if present) */
98 link = strchr(nbuf, ':');
108 /* Clean any space or tab at the end */
109 nbuf = strchr(nbuf, ' ');
113 nbuf = strchr(nbuf, '\t');
121 /* Check if it is a file to search everywhere */
123 /* Maximum number of global files reached */
124 if (rk_sys_count >= MAX_RK_SYS) {
125 merror(MAX_RK_MSG, ARGV0, MAX_RK_SYS);
129 /* Remove all slashes from the file */
135 rk_sys_file[rk_sys_count] = strdup(file);
136 rk_sys_name[rk_sys_count] = strdup(name);
138 if (!rk_sys_name[rk_sys_count] ||
139 !rk_sys_file[rk_sys_count] ) {
140 merror(MEM_ERROR, ARGV0, errno, strerror(errno));
142 if (rk_sys_file[rk_sys_count]) {
143 free(rk_sys_file[rk_sys_count]);
145 if (rk_sys_name[rk_sys_count]) {
146 free(rk_sys_name[rk_sys_count]);
149 rk_sys_file[rk_sys_count] = NULL;
150 rk_sys_name[rk_sys_count] = NULL;
155 /* Always assign the last as NULL */
156 rk_sys_file[rk_sys_count] = NULL;
157 rk_sys_name[rk_sys_count] = NULL;
162 snprintf(file_path, OS_SIZE_1024, "%s/%s", basedir, file);
164 if (is_file(file_path)) {
165 char op_msg[OS_SIZE_1024 + 1];
168 snprintf(op_msg, OS_SIZE_1024, "Rootkit '%s' detected "
169 "by the presence of file '%s'.", name, file_path);
171 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
179 char op_msg[OS_SIZE_1024 + 1];
180 snprintf(op_msg, OS_SIZE_1024, "No presence of public rootkits detected."
181 " Analyzed %d files.", _total);
182 notify_rk(ALERT_OK, op_msg);