1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
11 #include "rootcheck.h"
14 /* Report a problem */
15 int notify_rk(int rk_type, const char *msg)
17 /* Non-queue notification */
18 if (rootcheck.notify != QUEUE) {
19 if (rk_type == ALERT_OK) {
20 printf("[OK]: %s\n", msg);
21 } else if (rk_type == ALERT_SYSTEM_ERR) {
22 printf("[ERR]: %s\n", msg);
23 } else if (rk_type == ALERT_POLICY_VIOLATION) {
24 printf("[INFO]: %s\n", msg);
26 printf("[FAILED]: %s\n", msg);
33 /* No need to alert on that to the server */
34 if (rk_type <= ALERT_SYSTEM_ERR) {
39 /* When running in context of OSSEC-HIDS, send problem to the rootcheck queue */
40 if (SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) {
41 merror(QUEUE_SEND, ARGV0);
43 if ((rootcheck.queue = StartMQ(DEFAULTQPATH, WRITE)) < 0) {
44 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
47 if (SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) {
48 ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH);
56 /* Execute the rootkit checks */
65 /* On non-Windows, always start at / */
69 /* Removing the last / from basedir */
72 if (basedir[i - 1] == '/') {
73 basedir[i - 1] = '\0';
77 /* On Windows, always start at C:\ */
78 char basedir[] = "C:\\";
83 if (rootcheck.basedir == NULL) {
84 rootcheck.basedir = basedir;
90 if (rootcheck.notify != QUEUE) {
92 printf("** Starting Rootcheck v0.9 by Daniel B. Cid **\n");
93 printf("** http://www.ossec.net/en/about.html#dev-team **\n");
94 printf("** http://www.ossec.net/rootcheck/ **\n\n");
95 printf("Be patient, it may take a few minutes to complete...\n");
99 /* Clean the global variables */
101 rk_sys_file[rk_sys_count] = NULL;
102 rk_sys_name[rk_sys_count] = NULL;
104 /* Send scan start message */
105 notify_rk(ALERT_POLICY_VIOLATION, "Starting rootcheck scan.");
106 if (rootcheck.notify == QUEUE) {
107 merror("%s: INFO: Starting rootcheck scan.", ARGV0);
110 /* Check for Rootkits */
111 /* Open rootkit_files and pass the pointer to check_rc_files */
112 if (rootcheck.checks.rc_files) {
113 if (!rootcheck.rootkit_files) {
115 merror("%s: No rootcheck_files file configured.", ARGV0);
118 fp = fopen(rootcheck.rootkit_files, "r");
120 merror("%s: No rootcheck_files file: '%s'", ARGV0,
121 rootcheck.rootkit_files);
125 check_rc_files(rootcheck.basedir, fp);
132 /* Check for trojan entries in common binaries */
133 if (rootcheck.checks.rc_trojans) {
134 if (!rootcheck.rootkit_trojans) {
136 merror("%s: No rootcheck_trojans file configured.", ARGV0);
139 fp = fopen(rootcheck.rootkit_trojans, "r");
141 merror("%s: No rootcheck_trojans file: '%s'", ARGV0,
142 rootcheck.rootkit_trojans);
145 check_rc_trojans(rootcheck.basedir, fp);
153 /* Get process list */
154 plist = os_get_process_list();
156 /* Windows audit check */
157 if (rootcheck.checks.rc_winaudit) {
158 if (!rootcheck.winaudit) {
159 merror("%s: No winaudit file configured.", ARGV0);
161 fp = fopen(rootcheck.winaudit, "r");
163 merror("%s: No winaudit file: '%s'", ARGV0,
166 check_rc_winaudit(fp, plist);
172 /* Windows malware */
173 if (rootcheck.checks.rc_winmalware) {
174 if (!rootcheck.winmalware) {
175 merror("%s: No winmalware file configured.", ARGV0);
177 fp = fopen(rootcheck.winmalware, "r");
179 merror("%s: No winmalware file: '%s'", ARGV0,
180 rootcheck.winmalware);
182 check_rc_winmalware(fp, plist);
189 if (rootcheck.checks.rc_winapps) {
190 if (!rootcheck.winapps) {
191 merror("%s: No winapps file configured.", ARGV0);
193 fp = fopen(rootcheck.winapps, "r");
195 merror("%s: No winapps file: '%s'", ARGV0,
198 check_rc_winapps(fp, plist);
204 /* Free the process list */
205 del_plist((void *)plist);
208 /* Checks for other non-Windows */
210 /* Unix audit check ***/
211 if (rootcheck.checks.rc_unixaudit) {
212 if (rootcheck.unixaudit) {
213 /* Get process list */
214 plist = os_get_process_list();
217 while (rootcheck.unixaudit[i]) {
218 fp = fopen(rootcheck.unixaudit[i], "r");
220 merror("%s: No unixaudit file: '%s'", ARGV0,
221 rootcheck.unixaudit[i]);
224 check_rc_unixaudit(fp, plist);
238 /* Check for files in the /dev filesystem */
239 if (rootcheck.checks.rc_dev) {
240 debug1("%s: DEBUG: Going into check_rc_dev", ARGV0);
241 check_rc_dev(rootcheck.basedir);
242 debug1("%s: DEBUG: Exiting check_rc_dev", ARGV0);
245 /* Scan the whole system for additional issues */
246 if (rootcheck.checks.rc_sys) {
247 debug1("%s: DEBUG: Going into check_rc_sys", ARGV0);
248 check_rc_sys(rootcheck.basedir);
249 debug1("%s: DEBUG: Exiting check_rc_sys", ARGV0);
252 /* Check processes */
253 if (rootcheck.checks.rc_pids) {
254 debug1("%s: DEBUG: Going into check_rc_pids", ARGV0);
256 debug1("%s: DEBUG: Exiting check_rc_pids", ARGV0);
259 /* Check all ports */
260 if (rootcheck.checks.rc_ports) {
261 debug1("%s: DEBUG: Going into check_rc_ports", ARGV0);
263 debug1("%s: DEBUG: Exiting check_rc_ports", ARGV0);
265 /* Check open ports */
266 debug1("%s: DEBUG: Going into check_open_ports", ARGV0);
268 debug1("%s: DEBUG: Exiting check_open_ports", ARGV0);
271 /* Check interfaces */
272 if (rootcheck.checks.rc_if) {
273 debug1("%s: DEBUG: Going into check_rc_if", ARGV0);
275 debug1("%s: DEBUG: Exiting check_rc_if", ARGV0);
278 debug1("%s: DEBUG: Completed with all checks.", ARGV0);
280 /* Clean the global memory */
283 for (li = 0; li <= rk_sys_count; li++) {
284 if (!rk_sys_file[li] ||
289 free(rk_sys_file[li]);
290 free(rk_sys_name[li]);
297 if (rootcheck.notify != QUEUE) {
299 printf("- Scan completed in %d seconds.\n\n", (int)(time2 - time1));
304 /* Send scan ending message */
305 notify_rk(ALERT_POLICY_VIOLATION, "Ending rootcheck scan.");
306 if (rootcheck.notify == QUEUE) {
307 merror("%s: INFO: Ending rootcheck scan.", ARGV0);
310 debug1("%s: DEBUG: Leaving run_rk_check", ARGV0);