/* @(#) $Id: run_rk_check.c,v 1.32 2007/07/21 02:53:21 dcid Exp $ */ /* Copyright (C) 2005 Daniel B. Cid * All right reserved. * * This program is a free software; you can redistribute it * and/or modify it under the terms of the GNU General Public * License (version 2) as published by the FSF - Free Software * Foundation */ #include "shared.h" #include "rootcheck.h" /* notify_rk * Report a problem. */ int notify_rk(int rk_type, char *msg) { /* Non-queue notification */ if(rootcheck.notify != QUEUE) { if(rk_type == ALERT_OK) printf("[OK]: %s\n", msg); else if(rk_type == ALERT_SYSTEM_ERROR) printf("[ERR]: %s\n", msg); else if(rk_type == ALERT_POLICY_VIOLATION) printf("[INFO]: %s\n", msg); else { printf("[FAILED]: %s\n", msg); } printf("\n"); return(0); } /* No need to alert on that to the server */ if(rk_type <= ALERT_SYSTEM_ERROR) return(0); #ifdef OSSECHIDS if(SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) { merror(QUEUE_SEND, ARGV0); if((rootcheck.queue = StartMQ(DEFAULTQPATH,WRITE)) < 0) { ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH); } if(SendMSG(rootcheck.queue,msg,ROOTCHECK,ROOTCHECK_MQ) < 0) { ErrorExit(QUEUE_FATAL, ARGV0, DEFAULTQPATH); } } #endif return(0); } /* start_rk_daemon * Start the rootkit daemon variables */ void start_rk_daemon() { return; if(rootcheck.notify == QUEUE) { } } /* run_rk_check: v0.1 * Execute the rootkit checks */ void run_rk_check() { time_t time1; time_t time2; FILE *fp; #ifndef WIN32 /* Hard coding basedir */ int i; char basedir[] = "/"; /* Removing the last / from basedir */ i = strlen(basedir); if(i > 0) { if(basedir[i-1] == '/') { basedir[i-1] = '\0'; } } #else /* Basedir for Windows */ char basedir[] = "C:\\"; OSList *win32_plist; #endif /* Setting basedir */ if(rootcheck.basedir == NULL) { rootcheck.basedir = basedir; } time1 = time(0); /*** Initial message ***/ if(rootcheck.notify != QUEUE) { printf("\n"); printf("** Starting Rootcheck v0.8 by Daniel B. Cid **\n"); printf("** http://www.ossec.net/en/about.html#dev-team **\n"); printf("** http://www.ossec.net/rootcheck/ **\n\n"); printf("Be patient, it may take a few minutes to complete...\n"); printf("\n"); } /* Cleaning the global variables */ rk_sys_count = 0; rk_sys_file[rk_sys_count] = NULL; rk_sys_name[rk_sys_count] = NULL; /* Sending scan start message */ notify_rk(ALERT_POLICY_VIOLATION, "Starting rootcheck scan."); /*** First check, look for rootkits ***/ /* Open rootkit_files and pass the pointer to check_rc_files */ if(!rootcheck.rootkit_files) { #ifndef WIN32 merror("%s: No rootcheck_files file configured.", ARGV0); #endif } else { fp = fopen(rootcheck.rootkit_files, "r"); if(!fp) { merror("%s: No rootcheck_files file: '%s'",ARGV0, rootcheck.rootkit_files); } else { check_rc_files(rootcheck.basedir, fp); fclose(fp); } } /*** Second check. look for trojan entries in common binaries ***/ if(!rootcheck.rootkit_trojans) { #ifndef WIN32 merror("%s: No rootcheck_trojans file configured.", ARGV0); #endif } else { fp = fopen(rootcheck.rootkit_trojans, "r"); if(!fp) { merror("%s: No rootcheck_trojans file: '%s'",ARGV0, rootcheck.rootkit_trojans); } else { #ifndef HPUX check_rc_trojans(rootcheck.basedir, fp); #endif fclose(fp); } } #ifdef WIN32 /*** Getting process list ***/ win32_plist = os_get_win32_process_list(); /*** Windows audit check ***/ if(!rootcheck.winaudit) { merror("%s: No winaudit file configured.", ARGV0); } else { fp = fopen(rootcheck.winaudit, "r"); if(!fp) { merror("%s: No winaudit file: '%s'",ARGV0, rootcheck.winaudit); } else { check_rc_winaudit(fp, win32_plist); fclose(fp); } } /* Windows malware */ if(!rootcheck.winmalware) { merror("%s: No winmalware file configured.", ARGV0); } else { fp = fopen(rootcheck.winmalware, "r"); if(!fp) { merror("%s: No winmalware file: '%s'",ARGV0, rootcheck.winmalware); } else { check_rc_winmalware(fp, win32_plist); fclose(fp); } } /* Windows Apps */ if(!rootcheck.winapps) { merror("%s: No winapps file configured.", ARGV0); } else { fp = fopen(rootcheck.winapps, "r"); if(!fp) { merror("%s: No winapps file: '%s'",ARGV0, rootcheck.winapps); } else { check_rc_winapps(fp, win32_plist); fclose(fp); } } /* Freeing process list */ del_plist((void *)win32_plist); #endif /*** Third check, looking for files on the /dev ***/ debug1("%s: DEBUG: Going into check_rc_dev", ARGV0); check_rc_dev(rootcheck.basedir); /*** Fourth check, scan the whole system looking for additional issues */ debug1("%s: DEBUG: Going into check_rc_sys", ARGV0); check_rc_sys(rootcheck.basedir); /*** Process checking ***/ debug1("%s: DEBUG: Going into check_rc_pids", ARGV0); check_rc_pids(); /*** Check all the ports ***/ debug1("%s: DEBUG: Going into check_rc_ports", ARGV0); check_rc_ports(); /*** Check open ports ***/ debug1("%s: DEBUG: Going into check_open_ports", ARGV0); check_open_ports(); /*** Check interfaces ***/ debug1("%s: DEBUG: Going into check_rc_if", ARGV0); check_rc_if(); debug1("%s: DEBUG: Completed with all checks.", ARGV0); /* Cleaning the global memory */ { int li; for(li = 0;li <= rk_sys_count; li++) { if(!rk_sys_file[li] || !rk_sys_name[li]) break; free(rk_sys_file[li]); free(rk_sys_name[li]); } } /*** Final message ***/ time2 = time(0); if(rootcheck.notify != QUEUE) { printf("\n"); printf("- Scan completed in %d seconds.\n\n", (int)(time2 - time1)); } debug1("%s: DEBUG: Leaving run_rk_check",ARGV0); return; } /* EOF */