1 /* @(#) $Id: ./src/rootcheck/rootcheck.h, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
17 #include "config/rootcheck-config.h"
26 /* Maximum files to search on the whole system */
27 #define MAX_RK_SYS 512
32 #define ALERT_SYSTEM_ERR 1
33 #define ALERT_SYSTEM_CRIT 2
34 #define ALERT_ROOTKIT_FOUND 3
35 #define ALERT_POLICY_VIOLATION 4
37 #define ROOTCHECK "rootcheck"
39 /* Default to 10 hours */
40 #define ROOTCHECK_WAIT 72000
47 /* common isfile_ondir: Check if file is present on dir */
48 int isfile_ondir(char *file, char *dir);
50 /* int rk_check_file(char *value, char *pattern) */
51 int rk_check_file(char *file, char *pattern);
53 /* int rk_check_dir(char *dir, char *file, char *pattern) */
54 int rk_check_dir(char *dir, char *file, char *pattern);
56 /* pt_matches: Checks if pattern is present on string */
57 int pt_matches(char *str, char *pattern);
59 /* pt_check_negate: checks if the patterns is made up
60 * completely of negate matches */
61 int pt_check_negate(char *pattern);
63 /* common is_file: Check if a file exist (using stat, fopen and opendir) */
64 int is_file(char *file_name);
66 /* win_common is_registry: Check if a entry is in the registry */
67 int is_registry(char *entry_name, char *reg_option, char *reg_value);
69 /* int rkcl_get_entry: Reads cl configuration file. */
70 int rkcl_get_entry(FILE *fp, char *msg, void *p_list);
73 /** char *normalize_string
74 * Normalizes a string, removing white spaces and tabs
75 * from the begining and the end of it.
77 char *normalize_string(char *str);
80 /* Check if regex is present on the file.
81 * Similar to `strings file | grep -r regex`
83 int os_string(char *file, char *regex);
85 /* check for NTFS ADS (Windows only)
87 int os_check_ads(char *full_path);
89 /* os_get_process_list: Get list of processes
91 void *os_get_process_list();
93 /* is_process: Check is a process is running.
95 int is_process(char *value, void *p_list);
98 /* del_plist:. Deletes the process list
100 int del_plist(void *p_list);
103 /* Used to report messages */
104 int notify_rk(int rk_type, char *msg);
108 /* rootcheck_init: Starts the rootcheck externally
110 int rootcheck_init(int test_config);
112 /* run_rk_check: checks the integrity of the files against the
117 /* start_rk_daemon: Runs run_rk_check periodically.
119 void start_rk_daemon();
122 /*** Plugins prototypes ***/
123 void check_rc_files(char *basedir, FILE *fp);
125 void check_rc_trojans(char *basedir, FILE *fp);
127 void check_rc_unixaudit(FILE *fp, void *p_list);
129 void check_rc_winaudit(FILE *fp, void *p_list);
131 void check_rc_winmalware(FILE *fp, void *p_list);
133 void check_rc_winapps(FILE *fp, void *p_list);
135 void check_rc_dev(char *basedir);
137 void check_rc_sys(char *basedir);
139 void check_rc_pids();
141 /* Verifies if "pid" is in the proc directory */
142 int check_rc_readproc(int pid);
144 void check_rc_ports();
146 void check_open_ports();
158 char total_ports_udp[65535 +1];
159 char total_ports_tcp[65535 +1];
163 typedef struct _Proc_Info