3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 2) as published by the FSF - Free Software
16 #include "config/rootcheck-config.h"
25 /* Maximum files to search on the whole system */
26 #define MAX_RK_SYS 512
31 #define ALERT_SYSTEM_ERROR 1
32 #define ALERT_SYSTEM_CRIT 2
33 #define ALERT_ROOTKIT_FOUND 3
34 #define ALERT_POLICY_VIOLATION 4
36 #define ROOTCHECK "rootcheck"
38 /* Default to 10 hours */
39 #define ROOTCHECK_WAIT 72000
46 /* common isfile_ondir: Check if file is present on dir */
47 int isfile_ondir(char *file, char *dir);
49 /* int rk_check_file(char *value, char *pattern) */
50 int rk_check_file(char *file, char *pattern);
52 /* int rk_check_dir(char *dir, char *file, char *pattern) */
53 int rk_check_dir(char *dir, char *file, char *pattern);
55 /* pt_matches: Checks if pattern is present on string */
56 int pt_matches(char *str, char *pattern);
58 /* pt_check_negate: checks if the patterns is made up
59 * completely of negate matches */
60 int pt_check_negate(char *pattern);
62 /* common is_file: Check if a file exist (using stat, fopen and opendir) */
63 int is_file(char *file_name);
65 /* win_common is_registry: Check if a entry is in the registry */
66 int is_registry(char *entry_name, char *reg_option, char *reg_value);
68 /* int rkcl_get_entry: Reads cl configuration file. */
69 int rkcl_get_entry(FILE *fp, char *msg, void *p_list);
72 /** char *normalize_string
73 * Normalizes a string, removing white spaces and tabs
74 * from the begining and the end of it.
76 char *normalize_string(char *str);
79 /* Check if regex is present on the file.
80 * Similar to `strings file | grep -r regex`
82 int os_string(char *file, char *regex);
84 /* check for NTFS ADS (Windows only)
86 int os_check_ads(char *full_path);
88 /* os_get_process_list: Get list of processes
90 void *os_get_process_list();
92 /* is_process: Check is a process is running.
94 int is_process(char *value, void *p_list);
97 /* del_plist:. Deletes the process list
99 int del_plist(void *p_list);
102 /* Used to report messages */
103 int notify_rk(int rk_type, char *msg);
107 /* rootcheck_init: Starts the rootcheck externally
109 int rootcheck_init(int test_config);
111 /* run_rk_check: checks the integrity of the files against the
116 /* start_rk_daemon: Runs run_rk_check periodically.
118 void start_rk_daemon();
121 /*** Plugins prototypes ***/
122 void check_rc_files(char *basedir, FILE *fp);
124 void check_rc_trojans(char *basedir, FILE *fp);
126 void check_rc_unixaudit(FILE *fp, void *p_list);
128 void check_rc_winaudit(FILE *fp, void *p_list);
130 void check_rc_winmalware(FILE *fp, void *p_list);
132 void check_rc_winapps(FILE *fp, void *p_list);
134 void check_rc_dev(char *basedir);
136 void check_rc_sys(char *basedir);
138 void check_rc_pids();
140 /* Verifies if "pid" is in the proc directory */
141 int check_rc_readproc(int pid);
143 void check_rc_ports();
145 void check_open_ports();
157 char total_ports_udp[65535 +1];
158 char total_ports_tcp[65535 +1];
162 typedef struct _Proc_Info