3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
14 * Copyright (C) 2003 Daniel B. Cid <daniel@underlinux.com.br>
15 * http://www.ossec.net/rootcheck/
19 /* Included from the Rootcheck project */
22 #include "headers/shared.h"
24 #include "rootcheck.h"
27 #define ARGV0 "rootcheck"
33 /* Read the new XML config */
34 int Read_Rootcheck_Config(char * cfgfile, rkconfig *cfg);
42 printf("Rootcheck v0.8 (Mar/12/2008):\n");
43 printf("http://www.ossec.net/rootcheck/\n");
44 printf("Available options:\n");
45 printf("\t\t-h\t This Help message\n");
46 printf("\t\t-c <file> Configuration file\n");
47 printf("\t\t-d\t Enable debug\n");
48 printf("\t\t-D <dir> Set the working directory\n");
49 printf("\t\t-s\t Scans the whole system\n");
50 printf("\t\t-r\t Read all the files for kernel-based detection\n");
58 int main(int argc, char **argv)
65 int rootcheck_init(int test_config)
72 char *cfg = DEFAULTCPATH;
74 char *cfg = "./rootcheck.conf";
77 /* Zeroing the structure */
78 rootcheck.workdir = NULL;
79 rootcheck.basedir = NULL;
80 rootcheck.unixaudit = NULL;
81 rootcheck.ignore = NULL;
82 rootcheck.rootkit_files = NULL;
83 rootcheck.rootkit_trojans = NULL;
84 rootcheck.winaudit = NULL;
85 rootcheck.winmalware = NULL;
86 rootcheck.winapps = NULL;
88 rootcheck.notify = QUEUE;
89 rootcheck.scanall = 0;
90 rootcheck.readall = 0;
91 rootcheck.disabled = 0;
92 rootcheck.alert_msg = NULL;
93 rootcheck.time = ROOTCHECK_WAIT;
96 /* We store up to 255 alerts in there. */
97 os_calloc(256, sizeof(char *), rootcheck.alert_msg);
101 rootcheck.alert_msg[c] = NULL;
107 rootcheck.notify = SYSLOG;
108 rootcheck.daemon = 0;
109 while((c = getopt(argc, argv, "VstrdhD:c:")) != -1)
124 ErrorExit("%s: -D needs an argument",ARGV0);
125 rootcheck.workdir = optarg;
129 ErrorExit("%s: -c needs an argument",ARGV0);
133 rootcheck.scanall = 1;
139 rootcheck.readall = 1;
150 /* Starting Winsock */
153 if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0)
155 ErrorExit("%s: WSAStartup() failed", ARGV0);
161 #endif /* OSSECHIDS */
164 /* Staring message */
165 debug1(STARTED_MSG,ARGV0);
168 /* Checking if the configuration is present */
169 if(File_DateofChange(cfg) < 0)
171 merror("%s: Configuration file '%s' not found",ARGV0,cfg);
176 /* Reading configuration --function specified twice (check makefile) */
177 if(Read_Rootcheck_Config(cfg, &rootcheck) < 0)
179 ErrorExit(CONFIG_ERROR, ARGV0, cfg);
183 /* If testing config, exit here */
188 /* Return 1 disables rootcheck */
189 if(rootcheck.disabled == 1)
191 verbose("%s: Rootcheck disabled. Exiting.", ARGV0);
196 /* Checking if Unix audit file is configured. */
197 if(!rootcheck.unixaudit)
200 log2file("%s: System audit file not configured.", ARGV0);
205 /* Setting default values */
206 if(rootcheck.workdir == NULL)
207 rootcheck.workdir = DEFAULTDIR;
213 /* Start up message */
215 verbose(STARTUP_MSG, "ossec-rootcheck", getpid());
219 /* Connect to the queue if configured to do so */
220 if(rootcheck.notify == QUEUE)
222 debug1("%s: Starting queue ...",ARGV0);
224 /* Starting the queue. */
225 if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
227 merror(QUEUE_ERROR,ARGV0,DEFAULTQPATH, strerror(errno));
229 /* 5 seconds to see if the agent starts */
231 if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
233 /* more 10 seconds wait.. */
234 merror(QUEUE_ERROR,ARGV0,DEFAULTQPATH, strerror(errno));
236 if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0)
237 ErrorExit(QUEUE_FATAL,ARGV0,DEFAULTQPATH);
242 #endif /* Not win32 */
244 #endif /* ossec hids */
247 /* Initializing rk list */
248 rk_sys_name = calloc(MAX_RK_SYS +2, sizeof(char *));
249 rk_sys_file = calloc(MAX_RK_SYS +2, sizeof(char *));
250 if(!rk_sys_name || !rk_sys_file)
252 ErrorExit(MEM_ERROR, ARGV0);
254 rk_sys_name[0] = NULL;
255 rk_sys_file[0] = NULL;
261 /* Start the signal handling */
271 debug1("%s: DEBUG: Running run_rk_check",ARGV0);
275 debug1("%s: DEBUG: Leaving...",ARGV0);