1 /* @(#) $Id: ./src/rootcheck/rootcheck.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
15 * Copyright (C) 2003 Daniel B. Cid <daniel@underlinux.com.br>
16 * http://www.ossec.net/rootcheck/
20 /* Included from the Rootcheck project */
23 #include "headers/shared.h"
25 #include "rootcheck.h"
28 #define ARGV0 "rootcheck"
34 /* Read the new XML config */
35 int Read_Rootcheck_Config(char * cfgfile, rkconfig *cfg);
43 printf("Rootcheck v0.8 (Mar/12/2008):\n");
44 printf("http://www.ossec.net/rootcheck/\n");
45 printf("Available options:\n");
46 printf("\t\t-h\t This Help message\n");
47 printf("\t\t-c <file> Configuration file\n");
48 printf("\t\t-d\t Enable debug\n");
49 printf("\t\t-D <dir> Set the working directory\n");
50 printf("\t\t-s\t Scans the whole system\n");
51 printf("\t\t-r\t Read all the files for kernel-based detection\n");
59 int main(int argc, char **argv)
66 int rootcheck_init(int test_config)
73 char *cfg = DEFAULTCPATH;
75 char *cfg = "./rootcheck.conf";
78 /* Zeroing the structure, initializing default values */
79 rootcheck.workdir = NULL;
80 rootcheck.basedir = NULL;
81 rootcheck.unixaudit = NULL;
82 rootcheck.ignore = NULL;
83 rootcheck.rootkit_files = NULL;
84 rootcheck.rootkit_trojans = NULL;
85 rootcheck.winaudit = NULL;
86 rootcheck.winmalware = NULL;
87 rootcheck.winapps = NULL;
89 rootcheck.notify = QUEUE;
90 rootcheck.scanall = 0;
91 rootcheck.readall = 0;
92 rootcheck.disabled = 0;
93 rootcheck.alert_msg = NULL;
94 rootcheck.time = ROOTCHECK_WAIT;
97 rootcheck.checks.rc_dev = 1;
98 rootcheck.checks.rc_files = 1;
99 rootcheck.checks.rc_if = 1;
100 rootcheck.checks.rc_pids = 1;
101 rootcheck.checks.rc_ports = 1;
102 rootcheck.checks.rc_sys = 1;
103 rootcheck.checks.rc_trojans = 1;
107 rootcheck.checks.rc_winaudit = 1;
108 rootcheck.checks.rc_winmalware = 1;
109 rootcheck.checks.rc_winapps = 1;
113 rootcheck.checks.rc_unixaudit = 1;
117 /* We store up to 255 alerts in there. */
118 os_calloc(256, sizeof(char *), rootcheck.alert_msg);
122 rootcheck.alert_msg[c] = NULL;
128 rootcheck.notify = SYSLOG;
129 rootcheck.daemon = 0;
130 while((c = getopt(argc, argv, "VstrdhD:c:")) != -1)
145 ErrorExit("%s: -D needs an argument",ARGV0);
146 rootcheck.workdir = optarg;
150 ErrorExit("%s: -c needs an argument",ARGV0);
154 rootcheck.scanall = 1;
160 rootcheck.readall = 1;
171 /* Starting Winsock */
174 if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0)
176 ErrorExit("%s: WSAStartup() failed", ARGV0);
182 #endif /* OSSECHIDS */
185 /* Staring message */
186 debug1(STARTED_MSG,ARGV0);
189 /* Checking if the configuration is present */
190 if(File_DateofChange(cfg) < 0)
192 merror("%s: Configuration file '%s' not found",ARGV0,cfg);
197 /* Reading configuration --function specified twice (check makefile) */
198 if(Read_Rootcheck_Config(cfg, &rootcheck) < 0)
200 ErrorExit(CONFIG_ERROR, ARGV0, cfg);
204 /* If testing config, exit here */
209 /* Return 1 disables rootcheck */
210 if(rootcheck.disabled == 1)
212 verbose("%s: Rootcheck disabled. Exiting.", ARGV0);
217 /* Checking if Unix audit file is configured. */
218 if(!rootcheck.unixaudit)
221 log2file("%s: System audit file not configured.", ARGV0);
226 /* Setting default values */
227 if(rootcheck.workdir == NULL)
228 rootcheck.workdir = DEFAULTDIR;
234 /* Start up message */
236 verbose(STARTUP_MSG, "ossec-rootcheck", getpid());
240 /* Connect to the queue if configured to do so */
241 if(rootcheck.notify == QUEUE)
243 debug1("%s: Starting queue ...",ARGV0);
245 /* Starting the queue. */
246 if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
248 merror(QUEUE_ERROR,ARGV0,DEFAULTQPATH, strerror(errno));
250 /* 5 seconds to see if the agent starts */
252 if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
254 /* more 10 seconds wait.. */
255 merror(QUEUE_ERROR,ARGV0,DEFAULTQPATH, strerror(errno));
257 if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
258 ErrorExit(QUEUE_FATAL,ARGV0,DEFAULTQPATH);
263 #endif /* Not win32 */
265 #endif /* ossec hids */
268 /* Initializing rk list */
269 rk_sys_name = calloc(MAX_RK_SYS +2, sizeof(char *));
270 rk_sys_file = calloc(MAX_RK_SYS +2, sizeof(char *));
271 if(!rk_sys_name || !rk_sys_file)
273 ErrorExit(MEM_ERROR, ARGV0);
275 rk_sys_name[0] = NULL;
276 rk_sys_file[0] = NULL;
282 /* Start the signal handling */
292 debug1("%s: DEBUG: Running run_rk_check",ARGV0);
296 debug1("%s: DEBUG: Leaving...",ARGV0);