1 /* @(#) $Id: ./src/rootcheck/run_rk_check.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
15 #include "rootcheck.h"
21 int notify_rk(int rk_type, char *msg)
23 /* Non-queue notification */
24 if(rootcheck.notify != QUEUE)
26 if(rk_type == ALERT_OK)
27 printf("[OK]: %s\n", msg);
28 else if(rk_type == ALERT_SYSTEM_ERROR)
29 printf("[ERR]: %s\n", msg);
30 else if(rk_type == ALERT_POLICY_VIOLATION)
31 printf("[INFO]: %s\n", msg);
34 printf("[FAILED]: %s\n", msg);
41 /* No need to alert on that to the server */
42 if(rk_type <= ALERT_SYSTEM_ERROR)
46 if(SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0)
48 merror(QUEUE_SEND, ARGV0);
50 if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
52 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
55 if(SendMSG(rootcheck.queue,msg,ROOTCHECK,ROOTCHECK_MQ) < 0)
57 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
67 * Start the rootkit daemon variables
69 void start_rk_daemon()
73 if(rootcheck.notify == QUEUE)
80 * Execute the rootkit checks
91 /* Hard coding basedir */
95 /* Removing the last / from basedir */
99 if(basedir[i-1] == '/')
106 /* Basedir for Windows */
107 char basedir[] = "C:\\";
112 /* Setting basedir */
113 if(rootcheck.basedir == NULL)
115 rootcheck.basedir = basedir;
121 /*** Initial message ***/
122 if(rootcheck.notify != QUEUE)
125 printf("** Starting Rootcheck v0.9 by Daniel B. Cid **\n");
126 printf("** http://www.ossec.net/en/about.html#dev-team **\n");
127 printf("** http://www.ossec.net/rootcheck/ **\n\n");
128 printf("Be patient, it may take a few minutes to complete...\n");
133 /* Cleaning the global variables */
135 rk_sys_file[rk_sys_count] = NULL;
136 rk_sys_name[rk_sys_count] = NULL;
140 /* Sending scan start message */
141 notify_rk(ALERT_POLICY_VIOLATION, "Starting rootcheck scan.");
142 if(rootcheck.notify == QUEUE)
144 merror("%s: INFO: Starting rootcheck scan.", ARGV0);
149 /*** First check, look for rootkits ***/
150 /* Open rootkit_files and pass the pointer to check_rc_files */
151 if (rootcheck.checks.rc_files)
153 if(!rootcheck.rootkit_files)
156 merror("%s: No rootcheck_files file configured.", ARGV0);
162 fp = fopen(rootcheck.rootkit_files, "r");
165 merror("%s: No rootcheck_files file: '%s'",ARGV0,
166 rootcheck.rootkit_files);
171 check_rc_files(rootcheck.basedir, fp);
180 /*** Second check. look for trojan entries in common binaries ***/
181 if (rootcheck.checks.rc_trojans)
183 if(!rootcheck.rootkit_trojans)
186 merror("%s: No rootcheck_trojans file configured.", ARGV0);
192 fp = fopen(rootcheck.rootkit_trojans, "r");
195 merror("%s: No rootcheck_trojans file: '%s'",ARGV0,
196 rootcheck.rootkit_trojans);
202 check_rc_trojans(rootcheck.basedir, fp);
214 /*** Getting process list ***/
215 plist = os_get_process_list();
218 /*** Windows audit check ***/
219 if (rootcheck.checks.rc_winaudit)
221 if(!rootcheck.winaudit)
223 merror("%s: No winaudit file configured.", ARGV0);
227 fp = fopen(rootcheck.winaudit, "r");
230 merror("%s: No winaudit file: '%s'",ARGV0,
235 check_rc_winaudit(fp, plist);
241 /* Windows malware */
242 if (rootcheck.checks.rc_winmalware)
244 if(!rootcheck.winmalware)
246 merror("%s: No winmalware file configured.", ARGV0);
250 fp = fopen(rootcheck.winmalware, "r");
253 merror("%s: No winmalware file: '%s'",ARGV0,
254 rootcheck.winmalware);
258 check_rc_winmalware(fp, plist);
265 if (rootcheck.checks.rc_winapps)
267 if(!rootcheck.winapps)
269 merror("%s: No winapps file configured.", ARGV0);
273 fp = fopen(rootcheck.winapps, "r");
276 merror("%s: No winapps file: '%s'",ARGV0,
281 check_rc_winapps(fp, plist);
288 /* Freeing process list */
289 del_plist((void *)plist);
293 /** Checks for other non Windows. **/
298 /*** Unix audit check ***/
299 if (rootcheck.checks.rc_unixaudit)
301 if(rootcheck.unixaudit)
303 /* Getting process list. */
304 plist = os_get_process_list();
308 while(rootcheck.unixaudit[i])
310 fp = fopen(rootcheck.unixaudit[i], "r");
313 merror("%s: No unixaudit file: '%s'",ARGV0,
314 rootcheck.unixaudit[i]);
318 /* Running unix audit. */
319 check_rc_unixaudit(fp, plist);
329 del_plist((void *)plist);
337 /*** Third check, looking for files on the /dev ***/
338 if (rootcheck.checks.rc_dev)
340 debug1("%s: DEBUG: Going into check_rc_dev", ARGV0);
341 check_rc_dev(rootcheck.basedir);
344 /*** Fourth check, scan the whole system looking for additional issues */
345 if (rootcheck.checks.rc_sys)
347 debug1("%s: DEBUG: Going into check_rc_sys", ARGV0);
348 check_rc_sys(rootcheck.basedir);
351 /*** Process checking ***/
352 if (rootcheck.checks.rc_pids)
354 debug1("%s: DEBUG: Going into check_rc_pids", ARGV0);
358 /*** Check all the ports ***/
359 if (rootcheck.checks.rc_ports)
361 debug1("%s: DEBUG: Going into check_rc_ports", ARGV0);
364 /*** Check open ports ***/
365 debug1("%s: DEBUG: Going into check_open_ports", ARGV0);
369 /*** Check interfaces ***/
370 if (rootcheck.checks.rc_if)
372 debug1("%s: DEBUG: Going into check_rc_if", ARGV0);
377 debug1("%s: DEBUG: Completed with all checks.", ARGV0);
380 /* Cleaning the global memory */
383 for(li = 0;li <= rk_sys_count; li++)
385 if(!rk_sys_file[li] ||
389 free(rk_sys_file[li]);
390 free(rk_sys_name[li]);
394 /*** Final message ***/
397 if(rootcheck.notify != QUEUE)
400 printf("- Scan completed in %d seconds.\n\n", (int)(time2 - time1));
408 /* Sending scan ending message */
409 notify_rk(ALERT_POLICY_VIOLATION, "Ending rootcheck scan.");
410 if(rootcheck.notify == QUEUE)
412 merror("%s: INFO: Ending rootcheck scan.", ARGV0);
416 debug1("%s: DEBUG: Leaving run_rk_check",ARGV0);