1 /* @(#) $Id: rootcheck.h,v 1.34 2009/06/24 18:53:07 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
16 #include "config/rootcheck-config.h"
25 /* Maximum files to search on the whole system */
26 #define MAX_RK_SYS 512
31 #define ALERT_SYSTEM_ERROR 1
32 #define ALERT_SYSTEM_CRIT 2
33 #define ALERT_ROOTKIT_FOUND 3
34 #define ALERT_POLICY_VIOLATION 4
36 #define ROOTCHECK "rootcheck"
38 /* Default to 10 hours */
39 #define ROOTCHECK_WAIT 72000
46 /* common isfile_ondir: Check if file is present on dir */
47 int isfile_ondir(char *file, char *dir);
49 /* int rk_check_file(char *value, char *pattern) */
50 int rk_check_file(char *file, char *pattern);
52 /* int rk_check_dir(char *dir, char *file, char *pattern) */
53 int rk_check_dir(char *dir, char *file, char *pattern);
55 /* pt_matches: Checks if pattern is present on string */
56 int pt_matches(char *str, char *pattern);
59 /* common is_file: Check if a file exist (using stat, fopen and opendir) */
60 int is_file(char *file_name);
62 /* win_common is_registry: Check if a entry is in the registry */
63 int is_registry(char *entry_name, char *reg_option, char *reg_value);
65 /* int rkcl_get_entry: Reads cl configuration file. */
66 int rkcl_get_entry(FILE *fp, char *msg, void *p_list);
69 /** char *normalize_string
70 * Normalizes a string, removing white spaces and tabs
71 * from the begining and the end of it.
73 char *normalize_string(char *str);
76 /* Check if regex is present on the file.
77 * Similar to `strings file | grep -r regex`
79 int os_string(char *file, char *regex);
81 /* check for NTFS ADS (Windows only)
83 int os_check_ads(char *full_path);
85 /* os_get_process_list: Get list of processes
87 void *os_get_process_list();
89 /* is_process: Check is a process is running.
91 int is_process(char *value, void *p_list);
94 /* del_plist:. Deletes the process list
96 int del_plist(void *p_list);
99 /* Used to report messages */
100 int notify_rk(int rk_type, char *msg);
104 /* rootcheck_init: Starts the rootcheck externally
106 int rootcheck_init(int test_config);
108 /* run_rk_check: checks the integrity of the files against the
113 /* start_rk_daemon: Runs run_rk_check periodically.
115 void start_rk_daemon();
118 /*** Plugins prototypes ***/
119 void check_rc_files(char *basedir, FILE *fp);
121 void check_rc_trojans(char *basedir, FILE *fp);
123 void check_rc_unixaudit(FILE *fp, void *p_list);
125 void check_rc_winaudit(FILE *fp, void *p_list);
127 void check_rc_winmalware(FILE *fp, void *p_list);
129 void check_rc_winapps(FILE *fp, void *p_list);
131 void check_rc_dev(char *basedir);
133 void check_rc_sys(char *basedir);
135 void check_rc_pids();
137 /* Verifies if "pid" is in the proc directory */
138 int check_rc_readproc(int pid);
140 void check_rc_ports();
142 void check_open_ports();
154 char total_ports_udp[65535 +1];
155 char total_ports_tcp[65535 +1];
159 typedef struct _Proc_Info