1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
18 #include "os_xml/os_xml.h"
19 #include "rootcheck.h"
22 /* Evaluate boolean with two arguments
23 * str: input string, "yes"|"no"
24 * default_val: 1(yes)|0(no)
26 short eval_bool2(char *str, short default_val)
28 short ret = default_val;
32 } else if (strcmp(str, "yes") == 0) {
34 } else if (strcmp(str, "no") == 0) {
42 /* Read the rootcheck config */
43 int Read_Rootcheck_Config(const char *cfgfile)
51 const char *(xml_base_dir[]) = {xml_rootcheck, "base_directory", NULL};
52 const char *(xml_workdir[]) = {xml_rootcheck, "work_directory", NULL};
53 const char *(xml_rootkit_files[]) = {xml_rootcheck, "rootkit_files", NULL};
54 const char *(xml_rootkit_trojans[]) = {xml_rootcheck, "rootkit_trojans", NULL};
55 const char *(xml_rootkit_unixaudit[]) = {xml_rootcheck, "system_audit", NULL};
56 const char *(xml_rootkit_winaudit[]) = {xml_rootcheck, "windows_audit", NULL};
57 const char *(xml_rootkit_winapps[]) = {xml_rootcheck, "windows_apps", NULL};
58 const char *(xml_rootkit_winmalware[]) = {xml_rootcheck, "windows_malware", NULL};
59 const char *(xml_scanall[]) = {xml_rootcheck, "scanall", NULL};
60 const char *(xml_readall[]) = {xml_rootcheck, "readall", NULL};
62 const char *(xml_time[]) = {xml_rootcheck, "frequency", NULL};
64 const char *(xml_check_dev[]) = {xml_rootcheck, "check_dev", NULL};
65 const char *(xml_check_files[]) = {xml_rootcheck, "check_files", NULL};
66 const char *(xml_check_if[]) = {xml_rootcheck, "check_if", NULL};
67 const char *(xml_check_pids[]) = {xml_rootcheck, "check_pids", NULL};
68 const char *(xml_check_ports[]) = {xml_rootcheck, "check_ports", NULL};
69 const char *(xml_check_sys[]) = {xml_rootcheck, "check_sys", NULL};
70 const char *(xml_check_trojans[]) = {xml_rootcheck, "check_trojans", NULL};
72 const char *(xml_check_winapps[]) = {xml_rootcheck, "check_winapps", NULL};
73 const char *(xml_check_winaudit[]) = {xml_rootcheck, "check_winaudit", NULL};
74 const char *(xml_check_winmalware[]) = {xml_rootcheck, "check_winmalware", NULL};
76 const char *(xml_check_unixaudit[]) = {xml_rootcheck, "check_unixaudit", NULL};
84 if (OS_ReadXML(cfgfile, &xml) < 0) {
85 merror("config_op: XML error: %s", xml.err);
89 if (!OS_RootElementExist(&xml, xml_rootcheck)) {
91 merror("%s: Rootcheck configuration not found. ", ARGV0);
98 str = OS_GetOneContentforElement(&xml, xml_time);
100 if (!OS_StrIsNum(str)) {
101 merror("Invalid frequency time '%s' for the rootkit "
102 "detection (must be int).", str);
106 rootcheck.time = atoi(str);
110 #endif /* OSSECHIDS */
113 if (!rootcheck.scanall) {
114 rootcheck.scanall = eval_bool2(OS_GetOneContentforElement(&xml, xml_scanall), 0);
118 if (!rootcheck.readall) {
119 rootcheck.readall = eval_bool2(OS_GetOneContentforElement(&xml, xml_readall), 0);
122 /* Get work directory */
123 if (!rootcheck.workdir) {
124 rootcheck.workdir = OS_GetOneContentforElement(&xml, xml_workdir);
127 rootcheck.rootkit_files = OS_GetOneContentforElement
128 (&xml, xml_rootkit_files);
129 rootcheck.rootkit_trojans = OS_GetOneContentforElement
130 (&xml, xml_rootkit_trojans);
131 rootcheck.unixaudit = OS_GetContents
132 (&xml, xml_rootkit_unixaudit);
133 rootcheck.winaudit = OS_GetOneContentforElement
134 (&xml, xml_rootkit_winaudit);
135 rootcheck.winapps = OS_GetOneContentforElement
136 (&xml, xml_rootkit_winapps);
137 rootcheck.winmalware = OS_GetOneContentforElement
138 (&xml, xml_rootkit_winmalware);
139 rootcheck.basedir = OS_GetOneContentforElement(&xml, xml_base_dir);
140 rootcheck.checks.rc_dev = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_dev), 1);
141 rootcheck.checks.rc_files = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_files), 1);
142 rootcheck.checks.rc_if = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_if), 1);
143 rootcheck.checks.rc_pids = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_pids), 1);
144 rootcheck.checks.rc_ports = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_ports), 1);
145 rootcheck.checks.rc_sys = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_sys), 1);
146 rootcheck.checks.rc_trojans = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_trojans), 1);
148 rootcheck.checks.rc_winapps = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winapps), 1);
149 rootcheck.checks.rc_winaudit = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winaudit), 1);
150 rootcheck.checks.rc_winmalware = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winmalware), 1);
152 rootcheck.checks.rc_unixaudit = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_unixaudit), 1);