1 /* @(#) $Id: run_rk_check.c,v 1.41 2009/06/24 18:53:07 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
14 #include "rootcheck.h"
20 int notify_rk(int rk_type, char *msg)
22 /* Non-queue notification */
23 if(rootcheck.notify != QUEUE)
25 if(rk_type == ALERT_OK)
26 printf("[OK]: %s\n", msg);
27 else if(rk_type == ALERT_SYSTEM_ERROR)
28 printf("[ERR]: %s\n", msg);
29 else if(rk_type == ALERT_POLICY_VIOLATION)
30 printf("[INFO]: %s\n", msg);
33 printf("[FAILED]: %s\n", msg);
40 /* No need to alert on that to the server */
41 if(rk_type <= ALERT_SYSTEM_ERROR)
45 if(SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0)
47 merror(QUEUE_SEND, ARGV0);
49 if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
51 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
54 if(SendMSG(rootcheck.queue,msg,ROOTCHECK,ROOTCHECK_MQ) < 0)
56 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
66 * Start the rootkit daemon variables
68 void start_rk_daemon()
72 if(rootcheck.notify == QUEUE)
79 * Execute the rootkit checks
90 /* Hard coding basedir */
94 /* Removing the last / from basedir */
98 if(basedir[i-1] == '/')
105 /* Basedir for Windows */
106 char basedir[] = "C:\\";
111 /* Setting basedir */
112 if(rootcheck.basedir == NULL)
114 rootcheck.basedir = basedir;
120 /*** Initial message ***/
121 if(rootcheck.notify != QUEUE)
124 printf("** Starting Rootcheck v0.9 by Daniel B. Cid **\n");
125 printf("** http://www.ossec.net/en/about.html#dev-team **\n");
126 printf("** http://www.ossec.net/rootcheck/ **\n\n");
127 printf("Be patient, it may take a few minutes to complete...\n");
132 /* Cleaning the global variables */
134 rk_sys_file[rk_sys_count] = NULL;
135 rk_sys_name[rk_sys_count] = NULL;
139 /* Sending scan start message */
140 notify_rk(ALERT_POLICY_VIOLATION, "Starting rootcheck scan.");
141 if(rootcheck.notify == QUEUE)
143 merror("%s: INFO: Starting rootcheck scan.", ARGV0);
148 /*** First check, look for rootkits ***/
149 /* Open rootkit_files and pass the pointer to check_rc_files */
150 if(!rootcheck.rootkit_files)
153 merror("%s: No rootcheck_files file configured.", ARGV0);
159 fp = fopen(rootcheck.rootkit_files, "r");
162 merror("%s: No rootcheck_files file: '%s'",ARGV0,
163 rootcheck.rootkit_files);
168 check_rc_files(rootcheck.basedir, fp);
176 /*** Second check. look for trojan entries in common binaries ***/
177 if(!rootcheck.rootkit_trojans)
180 merror("%s: No rootcheck_trojans file configured.", ARGV0);
186 fp = fopen(rootcheck.rootkit_trojans, "r");
189 merror("%s: No rootcheck_trojans file: '%s'",ARGV0,
190 rootcheck.rootkit_trojans);
196 check_rc_trojans(rootcheck.basedir, fp);
207 /*** Getting process list ***/
208 plist = os_get_process_list();
211 /*** Windows audit check ***/
212 if(!rootcheck.winaudit)
214 merror("%s: No winaudit file configured.", ARGV0);
218 fp = fopen(rootcheck.winaudit, "r");
221 merror("%s: No winaudit file: '%s'",ARGV0,
226 check_rc_winaudit(fp, plist);
231 /* Windows malware */
232 if(!rootcheck.winmalware)
234 merror("%s: No winmalware file configured.", ARGV0);
238 fp = fopen(rootcheck.winmalware, "r");
241 merror("%s: No winmalware file: '%s'",ARGV0,
242 rootcheck.winmalware);
246 check_rc_winmalware(fp, plist);
252 if(!rootcheck.winapps)
254 merror("%s: No winapps file configured.", ARGV0);
258 fp = fopen(rootcheck.winapps, "r");
261 merror("%s: No winapps file: '%s'",ARGV0,
266 check_rc_winapps(fp, plist);
272 /* Freeing process list */
273 del_plist((void *)plist);
277 /** Checks for other non Windows. **/
282 /*** Unix audit check ***/
283 if(rootcheck.unixaudit)
285 /* Getting process list. */
286 plist = os_get_process_list();
290 while(rootcheck.unixaudit[i])
292 fp = fopen(rootcheck.unixaudit[i], "r");
295 merror("%s: No unixaudit file: '%s'",ARGV0,
296 rootcheck.unixaudit[i]);
300 /* Running unix audit. */
301 check_rc_unixaudit(fp, plist);
311 del_plist((void *)plist);
318 /*** Third check, looking for files on the /dev ***/
319 debug1("%s: DEBUG: Going into check_rc_dev", ARGV0);
320 check_rc_dev(rootcheck.basedir);
322 /*** Fourth check, scan the whole system looking for additional issues */
323 debug1("%s: DEBUG: Going into check_rc_sys", ARGV0);
324 check_rc_sys(rootcheck.basedir);
326 /*** Process checking ***/
327 debug1("%s: DEBUG: Going into check_rc_pids", ARGV0);
330 /*** Check all the ports ***/
331 debug1("%s: DEBUG: Going into check_rc_ports", ARGV0);
334 /*** Check open ports ***/
335 debug1("%s: DEBUG: Going into check_open_ports", ARGV0);
338 /*** Check interfaces ***/
339 debug1("%s: DEBUG: Going into check_rc_if", ARGV0);
343 debug1("%s: DEBUG: Completed with all checks.", ARGV0);
346 /* Cleaning the global memory */
349 for(li = 0;li <= rk_sys_count; li++)
351 if(!rk_sys_file[li] ||
355 free(rk_sys_file[li]);
356 free(rk_sys_name[li]);
360 /*** Final message ***/
363 if(rootcheck.notify != QUEUE)
366 printf("- Scan completed in %d seconds.\n\n", (int)(time2 - time1));
374 /* Sending scan ending message */
375 notify_rk(ALERT_POLICY_VIOLATION, "Ending rootcheck scan.");
376 if(rootcheck.notify == QUEUE)
378 merror("%s: INFO: Ending rootcheck scan.", ARGV0);
382 debug1("%s: DEBUG: Leaving run_rk_check",ARGV0);