int read_sys_file(char *file_name) { struct stat statbuf; /* Getting streams */ os_get_streams(file_name); if(stat(file_name, &statbuf) < 0) { return(0); } /* If directory, read the directory */ else if(S_ISDIR(statbuf.st_mode)) { return(read_sys_dir(file_name)); } return(0); }
/* check_rc_sys: v0.1 * Scan the whole filesystem looking for possible issues */ void check_rc_sys(char *basedir) { char file_path[OS_SIZE_1024 +1]; debug1("%s: DEBUG: Starting on check_rc_sys", ARGV0); _sys_errors = 0; _sys_total = 0; did = 0; /* device id */ snprintf(file_path, OS_SIZE_1024, "%s", basedir); /* Opening output files */ if(rootcheck.notify != QUEUE) { _wx = fopen("rootcheck-rw-rw-rw-.txt", "w"); _ww = fopen("rootcheck-rwxrwxrwx.txt", "w"); _suid=fopen("rootcheck-suid-files.txt", "w"); } else { _wx = NULL; _ww = NULL; _suid = NULL; } /* Scan the whole file system -- may be slow */ if(rootcheck.scanall) { #ifndef WIN32 snprintf(file_path, 3, "%s", "/"); #endif read_sys_dir(file_path, rootcheck.readall); } /* Scan only specific directories */ else { int _i = 0; #ifndef WIN32 char *(dirs_to_scan[]) = {"/bin", "/sbin", "/usr/bin", "/usr/sbin", "/dev", "/lib", "/etc", "/root", "/var/log", "/var/mail", "/var/lib", "/var/www", "/usr/lib", "/usr/include", "/tmp", "/boot", "/usr/local", "/var/tmp", "/sys", NULL}; #else char *(dirs_to_scan[]) = {"C:\\WINDOWS", "C:\\Program Files", NULL}; #endif for(_i = 0; _i <= 24; _i++) { if(dirs_to_scan[_i] == NULL) break; #ifndef WIN32 snprintf(file_path, OS_SIZE_1024, "%s%s", basedir, dirs_to_scan[_i]); read_sys_dir(file_path, rootcheck.readall); #else read_sys_dir(dirs_to_scan[_i], rootcheck.readall); #endif } } if(_sys_errors == 0) { char op_msg[OS_SIZE_1024 +1]; snprintf(op_msg, OS_SIZE_1024, "No problem found on the system." " Analyzed %d files.", _sys_total); notify_rk(ALERT_OK, op_msg); } else if(_wx && _ww && _suid) { char op_msg[OS_SIZE_1024 +1]; snprintf(op_msg, OS_SIZE_1024, "Check the following files for more " "information:\n%s%s%s", (ftell(_wx) == 0)?"": " rootcheck-rw-rw-rw-.txt (list of world writable files)\n", (ftell(_ww) == 0)?"": " rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)\n", (ftell(_suid) == 0)?"": " rootcheck-suid-files.txt (list of suid files)"); notify_rk(ALERT_SYSTEM_ERROR, op_msg); } if(_wx) { if(ftell(_wx) == 0) unlink("rootcheck-rw-rw-rw-.txt"); fclose(_wx); } if(_ww) { if(ftell(_ww) == 0) unlink("rootcheck-rwxrwxrwx.txt"); fclose(_ww); } if(_suid) { if(ftell(_suid) == 0) unlink("rootcheck-suid-files.txt"); fclose(_suid); } return; }
int read_sys_file(char *file_name, int do_read) { struct stat statbuf; _sys_total++; #ifdef WIN32 /* Check for NTFS ADS on Windows */ os_check_ads(file_name); #endif if(lstat(file_name, &statbuf) < 0) { #ifndef WIN32 char op_msg[OS_SIZE_1024 +1]; snprintf(op_msg, OS_SIZE_1024, "Anomaly detected in file '%s'. " "Hidden from stats, but showing up on readdir. " "Possible kernel level rootkit.", file_name); notify_rk(ALERT_ROOTKIT_FOUND, op_msg); _sys_errors++; #endif return(-1); } /* If directory, read the directory */ else if(S_ISDIR(statbuf.st_mode)) { /* Making Darwin happy. for some reason, * when I read /dev/fd, it goes forever on * /dev/fd5, /dev/fd6, etc.. weird */ if(strstr(file_name, "/dev/fd") != NULL) return(0); /* Ignoring /proc directory (it has the size 0). */ if(statbuf.st_size == 0) return(0); return(read_sys_dir(file_name, do_read)); } /* Check if the size from stats is the same as when we * read the file */ if(S_ISREG(statbuf.st_mode) && do_read) { char buf[OS_SIZE_1024]; int fd; int nr; unsigned long int total = 0; fd = open(file_name, O_RDONLY, 0); /* It may not necessarily open */ if(fd >= 0) { while ((nr = read(fd, buf, sizeof(buf))) > 0) { total += nr; } close(fd); if(strcmp(file_name, "/dev/bus/usb/.usbfs/devices") == 0) { /* Ignore .usbfs/devices. */ } else if(total != statbuf.st_size) { struct stat statbuf2; if((lstat(file_name, &statbuf2) == 0) && (total != statbuf2.st_size) && (statbuf.st_size == statbuf2.st_size)) { char op_msg[OS_SIZE_1024 +1]; snprintf(op_msg, OS_SIZE_1024, "Anomaly detected in file " "'%s'. File size doesn't match what we found. " "Possible kernel level rootkit.", file_name); notify_rk(ALERT_ROOTKIT_FOUND, op_msg); _sys_errors++; } } } } /* If has OTHER write and exec permission, alert */ #ifndef WIN32 if(((statbuf.st_mode & S_IWOTH) == S_IWOTH) && (S_ISREG(statbuf.st_mode))) { if((statbuf.st_mode & S_IXUSR) == S_IXUSR) { if(_wx) fprintf(_wx, "%s\n",file_name); _sys_errors++; } else { if(_ww) fprintf(_ww, "%s\n", file_name); } if(statbuf.st_uid == 0) { char op_msg[OS_SIZE_1024 +1]; #ifdef OSSECHIDS snprintf(op_msg, OS_SIZE_1024, "File '%s' is owned by root " "and has written permissions to anyone.", file_name); #else snprintf(op_msg, OS_SIZE_1024, "File '%s' is: \n" " - owned by root,\n" " - has written permissions to anyone.", file_name); #endif notify_rk(ALERT_SYSTEM_CRIT, op_msg); } _sys_errors++; } else if((statbuf.st_mode & S_ISUID) == S_ISUID) { if(_suid) fprintf(_suid,"%s\n", file_name); } #endif return(0); }