X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Frootcheck%2Frun_rk_check.c;h=0e2c805c1549dbecdcc1424e473ded14614ece5e;hp=b209b958381c846dfc9d982b451730f7e05ad924;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554 diff --git a/src/rootcheck/run_rk_check.c b/src/rootcheck/run_rk_check.c index b209b95..0e2c805 100755 --- a/src/rootcheck/run_rk_check.c +++ b/src/rootcheck/run_rk_check.c @@ -1,4 +1,5 @@ -/* @(#) $Id$ */ +/* @(#) $Id: ./src/rootcheck/run_rk_check.c, 2011/09/08 dcid Exp $ + */ /* Copyright (C) 2009 Trend Micro Inc. * All right reserved. @@ -9,7 +10,7 @@ * Foundation */ - + #include "shared.h" #include "rootcheck.h" @@ -27,7 +28,7 @@ int notify_rk(int rk_type, char *msg) else if(rk_type == ALERT_SYSTEM_ERROR) printf("[ERR]: %s\n", msg); else if(rk_type == ALERT_POLICY_VIOLATION) - printf("[INFO]: %s\n", msg); + printf("[INFO]: %s\n", msg); else { printf("[FAILED]: %s\n", msg); @@ -36,12 +37,12 @@ int notify_rk(int rk_type, char *msg) printf("\n"); return(0); } - + /* No need to alert on that to the server */ if(rk_type <= ALERT_SYSTEM_ERROR) return(0); - #ifdef OSSECHIDS + #ifdef OSSECHIDS if(SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) { merror(QUEUE_SEND, ARGV0); @@ -58,17 +59,17 @@ int notify_rk(int rk_type, char *msg) } #endif - return(0); + return(0); } - + /* start_rk_daemon * Start the rootkit daemon variables */ void start_rk_daemon() { return; - + if(rootcheck.notify == QUEUE) { } @@ -85,9 +86,9 @@ void run_rk_check() FILE *fp; OSList *plist; - + #ifndef WIN32 - /* Hard coding basedir */ + /* Hard coding basedir */ int i; char basedir[] = "/"; @@ -101,22 +102,22 @@ void run_rk_check() } } #else - + /* Basedir for Windows */ char basedir[] = "C:\\"; - + #endif - - + + /* Setting basedir */ if(rootcheck.basedir == NULL) { rootcheck.basedir = basedir; } - + time1 = time(0); - + /*** Initial message ***/ if(rootcheck.notify != QUEUE) { @@ -127,15 +128,15 @@ void run_rk_check() printf("Be patient, it may take a few minutes to complete...\n"); printf("\n"); } - - + + /* Cleaning the global variables */ rk_sys_count = 0; rk_sys_file[rk_sys_count] = NULL; rk_sys_name[rk_sys_count] = NULL; - - + + /* Sending scan start message */ notify_rk(ALERT_POLICY_VIOLATION, "Starting rootcheck scan."); if(rootcheck.notify == QUEUE) @@ -147,127 +148,142 @@ void run_rk_check() /*** First check, look for rootkits ***/ /* Open rootkit_files and pass the pointer to check_rc_files */ - if(!rootcheck.rootkit_files) + if (rootcheck.checks.rc_files) { - #ifndef WIN32 - merror("%s: No rootcheck_files file configured.", ARGV0); - #endif - } - - else - { - fp = fopen(rootcheck.rootkit_files, "r"); - if(!fp) + if(!rootcheck.rootkit_files) { - merror("%s: No rootcheck_files file: '%s'",ARGV0, - rootcheck.rootkit_files); + #ifndef WIN32 + merror("%s: No rootcheck_files file configured.", ARGV0); + #endif } else { - check_rc_files(rootcheck.basedir, fp); + fp = fopen(rootcheck.rootkit_files, "r"); + if(!fp) + { + merror("%s: No rootcheck_files file: '%s'",ARGV0, + rootcheck.rootkit_files); + } - fclose(fp); + else + { + check_rc_files(rootcheck.basedir, fp); + + fclose(fp); + } } } - - + + /*** Second check. look for trojan entries in common binaries ***/ - if(!rootcheck.rootkit_trojans) + if (rootcheck.checks.rc_trojans) { - #ifndef WIN32 - merror("%s: No rootcheck_trojans file configured.", ARGV0); - #endif - } - - else - { - fp = fopen(rootcheck.rootkit_trojans, "r"); - if(!fp) + if(!rootcheck.rootkit_trojans) { - merror("%s: No rootcheck_trojans file: '%s'",ARGV0, - rootcheck.rootkit_trojans); + #ifndef WIN32 + merror("%s: No rootcheck_trojans file configured.", ARGV0); + #endif } else { - #ifndef HPUX - check_rc_trojans(rootcheck.basedir, fp); - #endif + fp = fopen(rootcheck.rootkit_trojans, "r"); + if(!fp) + { + merror("%s: No rootcheck_trojans file: '%s'",ARGV0, + rootcheck.rootkit_trojans); + } + + else + { + #ifndef HPUX + check_rc_trojans(rootcheck.basedir, fp); + #endif - fclose(fp); + fclose(fp); + } } } #ifdef WIN32 - + /*** Getting process list ***/ plist = os_get_process_list(); /*** Windows audit check ***/ - if(!rootcheck.winaudit) + if (rootcheck.checks.rc_winaudit) { - merror("%s: No winaudit file configured.", ARGV0); - } - else - { - fp = fopen(rootcheck.winaudit, "r"); - if(!fp) + if(!rootcheck.winaudit) { - merror("%s: No winaudit file: '%s'",ARGV0, - rootcheck.winaudit); + merror("%s: No winaudit file configured.", ARGV0); } else { - check_rc_winaudit(fp, plist); - fclose(fp); + fp = fopen(rootcheck.winaudit, "r"); + if(!fp) + { + merror("%s: No winaudit file: '%s'",ARGV0, + rootcheck.winaudit); + } + else + { + check_rc_winaudit(fp, plist); + fclose(fp); + } } } /* Windows malware */ - if(!rootcheck.winmalware) + if (rootcheck.checks.rc_winmalware) { - merror("%s: No winmalware file configured.", ARGV0); - } - else - { - fp = fopen(rootcheck.winmalware, "r"); - if(!fp) + if(!rootcheck.winmalware) { - merror("%s: No winmalware file: '%s'",ARGV0, - rootcheck.winmalware); + merror("%s: No winmalware file configured.", ARGV0); } else { - check_rc_winmalware(fp, plist); - fclose(fp); + fp = fopen(rootcheck.winmalware, "r"); + if(!fp) + { + merror("%s: No winmalware file: '%s'",ARGV0, + rootcheck.winmalware); + } + else + { + check_rc_winmalware(fp, plist); + fclose(fp); + } } } - + /* Windows Apps */ - if(!rootcheck.winapps) - { - merror("%s: No winapps file configured.", ARGV0); - } - else + if (rootcheck.checks.rc_winapps) { - fp = fopen(rootcheck.winapps, "r"); - if(!fp) + if(!rootcheck.winapps) { - merror("%s: No winapps file: '%s'",ARGV0, - rootcheck.winapps); + merror("%s: No winapps file configured.", ARGV0); } else { - check_rc_winapps(fp, plist); - fclose(fp); + fp = fopen(rootcheck.winapps, "r"); + if(!fp) + { + merror("%s: No winapps file: '%s'",ARGV0, + rootcheck.winapps); + } + else + { + check_rc_winapps(fp, plist); + fclose(fp); + } } } - + /* Freeing process list */ del_plist((void *)plist); @@ -276,73 +292,91 @@ void run_rk_check() /** Checks for other non Windows. **/ #else - + /*** Unix audit check ***/ - if(rootcheck.unixaudit) + if (rootcheck.checks.rc_unixaudit) { - /* Getting process list. */ - plist = os_get_process_list(); + if(rootcheck.unixaudit) + { + /* Getting process list. */ + plist = os_get_process_list(); - i = 0; - while(rootcheck.unixaudit[i]) - { - fp = fopen(rootcheck.unixaudit[i], "r"); - if(!fp) + i = 0; + while(rootcheck.unixaudit[i]) { - merror("%s: No unixaudit file: '%s'",ARGV0, - rootcheck.unixaudit[i]); + fp = fopen(rootcheck.unixaudit[i], "r"); + if(!fp) + { + merror("%s: No unixaudit file: '%s'",ARGV0, + rootcheck.unixaudit[i]); + } + else + { + /* Running unix audit. */ + check_rc_unixaudit(fp, plist); + + fclose(fp); + } + + i++; } - else - { - /* Running unix audit. */ - check_rc_unixaudit(fp, plist); - fclose(fp); - } - i++; + /* Freeing list */ + del_plist((void *)plist); } - - - /* Freeing list */ - del_plist((void *)plist); } - + #endif - - + + /*** Third check, looking for files on the /dev ***/ - debug1("%s: DEBUG: Going into check_rc_dev", ARGV0); - check_rc_dev(rootcheck.basedir); - + if (rootcheck.checks.rc_dev) + { + debug1("%s: DEBUG: Going into check_rc_dev", ARGV0); + check_rc_dev(rootcheck.basedir); + } + /*** Fourth check, scan the whole system looking for additional issues */ - debug1("%s: DEBUG: Going into check_rc_sys", ARGV0); - check_rc_sys(rootcheck.basedir); - + if (rootcheck.checks.rc_sys) + { + debug1("%s: DEBUG: Going into check_rc_sys", ARGV0); + check_rc_sys(rootcheck.basedir); + } + /*** Process checking ***/ - debug1("%s: DEBUG: Going into check_rc_pids", ARGV0); - check_rc_pids(); + if (rootcheck.checks.rc_pids) + { + debug1("%s: DEBUG: Going into check_rc_pids", ARGV0); + check_rc_pids(); + } /*** Check all the ports ***/ - debug1("%s: DEBUG: Going into check_rc_ports", ARGV0); - check_rc_ports(); + if (rootcheck.checks.rc_ports) + { + debug1("%s: DEBUG: Going into check_rc_ports", ARGV0); + check_rc_ports(); + + /*** Check open ports ***/ + debug1("%s: DEBUG: Going into check_open_ports", ARGV0); + check_open_ports(); + } - /*** Check open ports ***/ - debug1("%s: DEBUG: Going into check_open_ports", ARGV0); - check_open_ports(); - /*** Check interfaces ***/ - debug1("%s: DEBUG: Going into check_rc_if", ARGV0); - check_rc_if(); - - - debug1("%s: DEBUG: Completed with all checks.", ARGV0); - - + if (rootcheck.checks.rc_if) + { + debug1("%s: DEBUG: Going into check_rc_if", ARGV0); + check_rc_if(); + } + + + debug1("%s: DEBUG: Completed with all checks.", ARGV0); + + /* Cleaning the global memory */ { int li; @@ -350,7 +384,7 @@ void run_rk_check() { if(!rk_sys_file[li] || !rk_sys_name[li]) - break; + break; free(rk_sys_file[li]); free(rk_sys_name[li]); @@ -359,7 +393,7 @@ void run_rk_check() /*** Final message ***/ time2 = time(0); - + if(rootcheck.notify != QUEUE) { printf("\n"); @@ -377,9 +411,9 @@ void run_rk_check() { merror("%s: INFO: Ending rootcheck scan.", ARGV0); } - - - debug1("%s: DEBUG: Leaving run_rk_check",ARGV0); + + + debug1("%s: DEBUG: Leaving run_rk_check",ARGV0); return; }