1 /* @(#) $Id: ./src/rootcheck/check_rc_files.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
15 #include "rootcheck.h"
20 * Read the file pointer specified (rootkit_files)
21 * and check if the configured file is there
23 void check_rc_files(char *basedir, FILE *fp)
25 char buf[OS_SIZE_1024 +1];
26 char file_path[OS_SIZE_1024 +1];
36 debug1("%s: DEBUG: Starting on check_rc_files", ARGV0);
38 while(fgets(buf, OS_SIZE_1024, fp) != NULL)
42 /* Removing end of line */
43 nbuf = strchr(buf, '\n');
49 /* Assigning buf to be used */
52 /* Excluding commented lines or blanked ones */
55 if(*nbuf == ' ' || *nbuf == '\t')
69 /* File now may be valid */
74 /* Getting the file and the rootkit name */
77 if(*nbuf == ' ' || *nbuf == '\t')
79 /* Setting the limit for the file */
94 /* Some ugly code to remove spaces and \t */
100 if(*nbuf == ' ' || *nbuf == '\t')
108 else if(*nbuf == ' ' || *nbuf == '\t')
120 /* Getting the link (if present) */
121 link = strchr(nbuf, ':');
134 /* Cleaning any space of \t at the end */
135 nbuf = strchr(nbuf, ' ');
141 nbuf = strchr(nbuf, '\t');
150 /* Checking if it is a file to search everywhere */
153 if(rk_sys_count >= MAX_RK_SYS)
155 merror(MAX_RK_MSG, ARGV0, MAX_RK_SYS);
160 /* Removing * / from the file */
165 /* Memory assignment */
166 rk_sys_file[rk_sys_count] = strdup(file);
167 rk_sys_name[rk_sys_count] = strdup(name);
169 if(!rk_sys_name[rk_sys_count] ||
170 !rk_sys_file[rk_sys_count] )
172 merror(MEM_ERROR, ARGV0);
174 if(rk_sys_file[rk_sys_count])
175 free(rk_sys_file[rk_sys_count]);
176 if(rk_sys_name[rk_sys_count])
177 free(rk_sys_name[rk_sys_count]);
179 rk_sys_file[rk_sys_count] = NULL;
180 rk_sys_name[rk_sys_count] = NULL;
185 /* Always assigning the last as NULL */
186 rk_sys_file[rk_sys_count] = NULL;
187 rk_sys_name[rk_sys_count] = NULL;
192 snprintf(file_path, OS_SIZE_1024, "%s/%s",basedir, file);
194 /* Checking if file exists */
195 if(is_file(file_path))
197 char op_msg[OS_SIZE_1024 +1];
200 snprintf(op_msg, OS_SIZE_1024, "Rootkit '%s' detected "
201 "by the presence of file '%s'.",name, file_path);
203 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
212 char op_msg[OS_SIZE_1024 +1];
213 snprintf(op_msg,OS_SIZE_1024,"No presence of public rootkits detected."
214 " Analyzed %d files.", _total);
215 notify_rk(ALERT_OK, op_msg);