diff --git a/src/modules/rootcheck/include/rootcheck.h b/src/modules/rootcheck/include/rootcheck.h index bff9d284bc..01e5cefcfa 100644 --- a/src/modules/rootcheck/include/rootcheck.h +++ b/src/modules/rootcheck/include/rootcheck.h @@ -126,7 +126,6 @@ void check_rc_pids(void); int check_rc_readproc(int pid); void check_rc_ports(void); -void check_open_ports(void); void check_rc_if(void); /*Checks if the path or file is user-ignored */ diff --git a/src/modules/rootcheck/src/check_open_ports.c b/src/modules/rootcheck/src/check_open_ports.c deleted file mode 100644 index eb891034dd..0000000000 --- a/src/modules/rootcheck/src/check_open_ports.c +++ /dev/null @@ -1,122 +0,0 @@ -/* Copyright (C) 2015, Wazuh Inc. - * Copyright (C) 2009 Trend Micro Inc. - * All right reserved. - * - * This program is free software; you can redistribute it - * and/or modify it under the terms of the GNU General Public - * License (version 2) as published by the FSF - Free Software - * Foundation -*/ - -#include "shared.h" -#include "headers/debug_op.h" -#include "headers/defs.h" -#include "rootcheck.h" - -#ifndef OSSECHIDS - -/* Prototypes */ -static int connect_to_port(int proto, int port); -static void try_to_access_ports(void); - -/* Global variables */ -static int _ports_open; -static int open_ports_size; -static char open_ports_str[OS_SIZE_1024 + 1]; - - -static int connect_to_port(int proto, int port) -{ - int rc = 0; - int ossock; - struct sockaddr_in server; - - if (proto == IPPROTO_UDP) { - if ((ossock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) { - return (0); - } - } else if (proto == IPPROTO_TCP) { - if ((ossock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { - return (0); - } - } else { - return (0); - } - - memset(&server, 0, sizeof(server)); - server.sin_family = AF_INET; - server.sin_port = htons(port); - server.sin_addr.s_addr = htonl(INADDR_LOOPBACK); - - if (connect(ossock, (struct sockaddr *)&server, sizeof(server)) == 0) { - rc = 1; - } - - close(ossock); - - return (rc); -} - -static void try_to_access_ports() -{ - int i; - - for (i = 0; i <= 65535; i++) { - if (total_ports_tcp[i] && connect_to_port(IPPROTO_TCP, i)) { - char port_proto[64]; - - if (_ports_open == 0) { - snprintf(port_proto, 64, "\n %d (tcp),", i); - } else { - snprintf(port_proto, 64, "%d (tcp),", i); - } - strncat(open_ports_str, port_proto, open_ports_size); - open_ports_size -= strlen(port_proto) + 1; - - _ports_open++; - } - - if (total_ports_udp[i] && connect_to_port(IPPROTO_UDP, i)) { - char port_proto[64]; - - if (_ports_open == 0) { - snprintf(port_proto, 64, "\n %d (udp),", i); - } else { - snprintf(port_proto, 64, "%d (udp),", i); - } - - strncat(open_ports_str, port_proto, open_ports_size); - open_ports_size -= strlen(port_proto) + 1; - - _ports_open++; - } - - if (_ports_open >= 4) { - _ports_open = 0; - } - } - -} -#endif - -void check_open_ports() -{ -#ifndef OSSECHIDS - memset(open_ports_str, '\0', OS_SIZE_1024 + 1); - open_ports_size = OS_SIZE_1024 - 1; - _ports_open = 0; - - snprintf(open_ports_str, OS_SIZE_1024, "The following ports are open:"); - open_ports_size -= strlen(open_ports_str) + 1; - - /* Testing All ports */ - try_to_access_ports(); - - open_ports_str[strlen(open_ports_str) - 1] = '\0'; - - notify_rk(ALERT_OK, open_ports_str); - -#endif - return; -} - diff --git a/src/modules/rootcheck/src/check_rc_pids.c b/src/modules/rootcheck/src/check_rc_pids.c index 019790523a..33f3e8a656 100644 --- a/src/modules/rootcheck/src/check_rc_pids.c +++ b/src/modules/rootcheck/src/check_rc_pids.c @@ -168,14 +168,11 @@ static void loop_all_pids(const char *ps, pid_t max_pid, int *_errors, int *_tot } } - /* If we are run in the context of OSSEC-HIDS, sleep here (no rush) */ -#ifdef OSSECHIDS #ifdef WIN32 Sleep(rootcheck.tsleep); #else struct timeval timeout = {0, rootcheck.tsleep * 1000}; select(0, NULL, NULL, NULL, &timeout); -#endif #endif /* Everything fine, move on */ diff --git a/src/modules/rootcheck/src/check_rc_ports.c b/src/modules/rootcheck/src/check_rc_ports.c index 068d81fa60..75d94a6f9c 100644 --- a/src/modules/rootcheck/src/check_rc_ports.c +++ b/src/modules/rootcheck/src/check_rc_ports.c @@ -105,14 +105,11 @@ static void test_ports(int proto, int *_errors, int *_total) continue; } -#ifdef OSSECHIDS - /* If we are in the context of OSSEC-HIDS, sleep here (no rush) */ #ifdef WIN32 Sleep(rootcheck.tsleep); #else struct timeval timeout = {0, rootcheck.tsleep * 1000}; select(0, NULL, NULL, NULL, &timeout); -#endif #endif if (!run_netstat(proto, i) && conn_port(proto, i)) { diff --git a/src/modules/rootcheck/src/check_rc_sys.c b/src/modules/rootcheck/src/check_rc_sys.c index 14f210a793..6009732626 100644 --- a/src/modules/rootcheck/src/check_rc_sys.c +++ b/src/modules/rootcheck/src/check_rc_sys.c @@ -142,7 +142,6 @@ static int read_sys_file(const char *file_name, int do_read) if (statbuf.st_uid == 0) { char op_msg[OS_SIZE_1024 + 1]; -#ifdef OSSECHIDS const char op_msg_fmt[] = "File '%*s' is owned by root and has written permissions to anyone."; const int size = snprintf(NULL, 0, op_msg_fmt, (int)strlen(file_name), file_name); @@ -161,27 +160,6 @@ static int read_sys_file(const char *file_name, int do_read) } _sys_errors++; - -#else - const char op_msg_fmt[] = "File '%*s' is: \n - owned by root,\n - has write permissions to anyone."; - - const int size = snprintf(NULL, 0, op_msg_fmt, (int)strlen(file_name), file_name); - - if (size >= 0) { - if ((size_t)size < sizeof(op_msg)) { - snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)strlen(file_name), file_name); - } else { - const unsigned int surplus = size - sizeof(op_msg) + 1; - snprintf(op_msg, sizeof(op_msg), op_msg_fmt, (int)(strlen(file_name) - surplus), file_name); - } - - notify_rk(ALERT_SYSTEM_CRIT, op_msg); - } else { - mtdebug2(ARGV0, "Error %d (%s) with snprintf with file %s", errno, strerror(errno), file_name); - } - - _sys_errors++; -#endif } } else if ((statbuf.st_mode & S_ISUID) == S_ISUID) { if (_suid) { diff --git a/src/modules/rootcheck/src/config.c b/src/modules/rootcheck/src/config.c index 63ed93c651..6733f92c06 100644 --- a/src/modules/rootcheck/src/config.c +++ b/src/modules/rootcheck/src/config.c @@ -8,7 +8,6 @@ * Foundation */ -#ifdef OSSECHIDS #include "shared.h" #include "rootcheck.h" #include "config/config.h" @@ -102,5 +101,3 @@ cJSON *getRootcheckConfig(void) { return root; } - -#endif /* OSSECHIDS */ diff --git a/src/modules/rootcheck/src/rootcheck.c b/src/modules/rootcheck/src/rootcheck.c index aed44184b5..fd0db1c8bf 100644 --- a/src/modules/rootcheck/src/rootcheck.c +++ b/src/modules/rootcheck/src/rootcheck.c @@ -28,50 +28,12 @@ char total_ports_tcp[65535 + 1]; #define ARGV0 "rootcheck" #endif -#ifndef OSSECHIDS - -/* Print help statement */ -void help_rootcheck(char * home_path) -{ - print_header(); - print_out(" %s: -[Vhdtsr] [-c config] [-D dir]", ARGV0); - print_out(" -V Version and license message"); - print_out(" -h Print this help message"); - print_out(" -d Execute in debug mode. This parameter"); - print_out(" can be specified multiple times"); - print_out(" to increase the debug level."); - print_out(" -t Test configuration"); - print_out(" -s Scan the whole system"); - print_out(" -r Read all the files for kernel-based detection"); - print_out(" -c Configuration file to use"); - print_out(" -D Directory to chroot into (default: %s)", home_path); - print_out(" "); - os_free(home_path); - exit(1); -} - -int main(int argc, char **argv) -{ - int test_config = 0; - const char *cfg = "./rootcheck.conf"; - char * home_path = w_homedir(argv[0]); - -#else - int rootcheck_init(int test_config) { const char *cfg = OSSECCONF; -#endif /* OSSECHIDS */ - int c; -#ifndef OSSECHIDS - if (chdir(home_path) == -1) { - merror_exit(CHDIR_ERROR, home_path, errno, strerror(errno)); - } -#endif /* OSSECHIDS */ - /* Zero the structure, initialize default values */ rootcheck.workdir = NULL; rootcheck.basedir = NULL; @@ -115,58 +77,6 @@ int rootcheck_init(int test_config) c++; } -#ifndef OSSECHIDS - rootcheck.notify = SYSLOG_RK; - rootcheck.daemon = 0; - while ((c = getopt(argc, argv, "VstrdhD:c:")) != -1) { - switch (c) { - case 'V': - print_version(); - break; - case 'h': - help_rootcheck(home_path); - break; - case 'd': - nowDebug(); - break; - case 'D': - if (!optarg) { - mterror_exit(ARGV0, "-D needs an argument"); - } - rootcheck.workdir = optarg; - break; - case 'c': - if (!optarg) { - mterror_exit(ARGV0, "-c needs an argument"); - } - cfg = optarg; - break; - case 's': - rootcheck.scanall = 1; - break; - case 't': - test_config = 1; - break; - case 'r': - rootcheck.readall = 1; - break; - default: - help_rootcheck(home_path); - break; - } - } -#ifdef WIN32 - /* Start Winsock */ - { - WSADATA wsaData; - if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) { - mterror_exit(ARGV0, "WSAStartup() failed"); - } - } -#endif /* WIN32 */ - -#endif /* OSSECHIDS */ - /* Check if the configuration is present */ if (File_DateofChange(cfg) < 0) { mterror(ARGV0, "Configuration file '%s' not found", cfg); @@ -211,22 +121,11 @@ int rootcheck_init(int test_config) } #endif - /* Set default values */ -#ifndef OSSECHIDS - mdebug1(WAZUH_HOMEDIR, home_path); - if (rootcheck.workdir == NULL) { - rootcheck.workdir = home_path; - } -#endif - -#ifdef OSSECHIDS /* Start up message */ #ifdef WIN32 mtinfo(ARGV0, STARTUP_MSG, getpid()); #endif /* WIN32 */ -#endif /* OSSECHIDS */ - /* Initialize rk list */ rk_sys_name = (char **) calloc(MAX_RK_SYS + 2, sizeof(char *)); rk_sys_file = (char **) calloc(MAX_RK_SYS + 2, sizeof(char *)); @@ -236,18 +135,6 @@ int rootcheck_init(int test_config) rk_sys_name[0] = NULL; rk_sys_file[0] = NULL; -#ifndef OSSECHIDS -#ifndef WIN32 - /* Start signal handling */ - StartSIG(ARGV0); - rootcheck_connect(); -#endif - mtdebug1(ARGV0, "Running run_rk_check"); - run_rk_check(); - - mtdebug1(ARGV0, "Leaving..."); - os_free(home_path); -#endif /* OSSECHIDS */ return (0); } diff --git a/src/modules/rootcheck/src/rootcheck_config.c b/src/modules/rootcheck/src/rootcheck_config.c deleted file mode 100644 index 202b4967d4..0000000000 --- a/src/modules/rootcheck/src/rootcheck_config.c +++ /dev/null @@ -1,157 +0,0 @@ -/* Copyright (C) 2015, Wazuh Inc. - * Copyright (C) 2009 Trend Micro Inc. - * All right reserved. - * - * This program is free software; you can redistribute it - * and/or modify it under the terms of the GNU General Public - * License (version 2) as published by the FSF - Free Software - * Foundation - */ - -#ifndef OSSECHIDS - -#include -#include -#include -#include - -#include "shared.h" -#include "os_xml/os_xml.h" -#include "rootcheck.h" - - -/* Evaluate boolean with two arguments - * str: input string, "yes"|"no" - * default_val: 1(yes)|0(no) - */ -short eval_bool2(char *str, short default_val) -{ - short ret = default_val; - - if (str == NULL) { - return (ret); - } else if (strcmp(str, "yes") == 0) { - ret = 1; - } else if (strcmp(str, "no") == 0) { - ret = 0; - } - - free(str); - return (ret); -} - -/* Read the rootcheck config */ -int Read_Rootcheck_Config(const char *cfgfile) -{ - OS_XML xml; - - /* XML Definitions */ - const char *(xml_base_dir[]) = {xml_rootcheck, "base_directory", NULL}; - const char *(xml_workdir[]) = {xml_rootcheck, "work_directory", NULL}; - const char *(xml_rootkit_files[]) = {xml_rootcheck, "rootkit_files", NULL}; - const char *(xml_rootkit_trojans[]) = {xml_rootcheck, "rootkit_trojans", NULL}; - const char *(xml_rootkit_unixaudit[]) = {xml_rootcheck, "system_audit", NULL}; - const char *(xml_rootkit_winaudit[]) = {xml_rootcheck, "windows_audit", NULL}; - const char *(xml_rootkit_winapps[]) = {xml_rootcheck, "windows_apps", NULL}; - const char *(xml_rootkit_winmalware[]) = {xml_rootcheck, "windows_malware", NULL}; - const char *(xml_scanall[]) = {xml_rootcheck, "scanall", NULL}; - const char *(xml_readall[]) = {xml_rootcheck, "readall", NULL}; -#ifdef OSSECHIDS - const char *(xml_time[]) = {xml_rootcheck, "frequency", NULL}; - char *str = NULL; -#endif - const char *(xml_check_dev[]) = {xml_rootcheck, "check_dev", NULL}; - const char *(xml_check_files[]) = {xml_rootcheck, "check_files", NULL}; - const char *(xml_check_if[]) = {xml_rootcheck, "check_if", NULL}; - const char *(xml_check_pids[]) = {xml_rootcheck, "check_pids", NULL}; - const char *(xml_check_ports[]) = {xml_rootcheck, "check_ports", NULL}; - const char *(xml_check_sys[]) = {xml_rootcheck, "check_sys", NULL}; - const char *(xml_check_trojans[]) = {xml_rootcheck, "check_trojans", NULL}; -#ifdef WIN32 - const char *(xml_check_winapps[]) = {xml_rootcheck, "check_winapps", NULL}; - const char *(xml_check_winaudit[]) = {xml_rootcheck, "check_winaudit", NULL}; - const char *(xml_check_winmalware[]) = {xml_rootcheck, "check_winmalware", NULL}; -#else - const char *(xml_check_unixaudit[]) = {xml_rootcheck, "check_unixaudit", NULL}; -#endif - -#ifdef OSSECHIDS - /* :) */ - xml_time[2] = NULL; -#endif - - if (OS_ReadXML(cfgfile, &xml) < 0) { - mterror(ARGV0, "config_op: XML error: %s", xml.err); - return (OS_INVALID); - } - - if (!OS_RootElementExist(&xml, xml_rootcheck)) { - OS_ClearXML(&xml); - mterror(ARGV0, "Rootcheck configuration not found."); - return (-1); - } - - -#ifdef OSSECHIDS - /* time */ - str = OS_GetOneContentforElement(&xml, xml_time); - if (str) { - if (!OS_StrIsNum(str)) { - mterror(ARGV0, "Invalid frequency time '%s' for the rootkit detection (must be int).", str); - return (OS_INVALID); - } - - rootcheck.time = atoi(str); - free(str); - str = NULL; - } -#endif /* OSSECHIDS */ - - /* Scan all flags */ - if (!rootcheck.scanall) { - rootcheck.scanall = eval_bool2(OS_GetOneContentforElement(&xml, xml_scanall), 0); - } - - /* Read all flags */ - if (!rootcheck.readall) { - rootcheck.readall = eval_bool2(OS_GetOneContentforElement(&xml, xml_readall), 0); - } - - /* Get work directory */ - if (!rootcheck.workdir) { - rootcheck.workdir = OS_GetOneContentforElement(&xml, xml_workdir); - } - - rootcheck.rootkit_files = OS_GetOneContentforElement - (&xml, xml_rootkit_files); - rootcheck.rootkit_trojans = OS_GetOneContentforElement - (&xml, xml_rootkit_trojans); - rootcheck.unixaudit = OS_GetContents - (&xml, xml_rootkit_unixaudit); - rootcheck.winaudit = OS_GetOneContentforElement - (&xml, xml_rootkit_winaudit); - rootcheck.winapps = OS_GetOneContentforElement - (&xml, xml_rootkit_winapps); - rootcheck.winmalware = OS_GetOneContentforElement - (&xml, xml_rootkit_winmalware); - rootcheck.basedir = OS_GetOneContentforElement(&xml, xml_base_dir); - rootcheck.checks.rc_dev = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_dev), 1); - rootcheck.checks.rc_files = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_files), 1); - rootcheck.checks.rc_if = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_if), 1); - rootcheck.checks.rc_pids = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_pids), 1); - rootcheck.checks.rc_ports = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_ports), 1); - rootcheck.checks.rc_sys = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_sys), 1); - rootcheck.checks.rc_trojans = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_trojans), 1); -#ifdef WIN32 - rootcheck.checks.rc_winapps = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winapps), 1); - rootcheck.checks.rc_winaudit = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winaudit), 1); - rootcheck.checks.rc_winmalware = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_winmalware), 1); -#else - rootcheck.checks.rc_unixaudit = eval_bool2(OS_GetOneContentforElement(&xml, xml_check_unixaudit), 1); -#endif /* WIN32 */ - OS_ClearXML(&xml); - - - return (0); -} -#endif diff --git a/src/modules/rootcheck/src/run_rk_check.c b/src/modules/rootcheck/src/run_rk_check.c index 7ecad012e9..b93b5a9f2e 100644 --- a/src/modules/rootcheck/src/run_rk_check.c +++ b/src/modules/rootcheck/src/run_rk_check.c @@ -38,8 +38,6 @@ int notify_rk(int rk_type, const char *msg) return (0); } -#ifdef OSSECHIDS - /* When running in context of OSSEC-HIDS, send problem to the rootcheck queue */ if (SendMSG(rootcheck.queue, msg, ROOTCHECK, ROOTCHECK_MQ) < 0) { mterror(ARGV0, QUEUE_SEND); @@ -51,7 +49,6 @@ int notify_rk(int rk_type, const char *msg) mterror_exit(ARGV0, QUEUE_FATAL, DEFAULTQUEUE); } } -#endif return (0); } @@ -249,10 +246,6 @@ void run_rk_check() if (rootcheck.checks.rc_ports) { mtdebug1(ARGV0, "Going into check_rc_ports"); check_rc_ports(); - - /* Check open ports */ - mtdebug1(ARGV0, "Going into check_open_ports"); - check_open_ports(); } /* Check interfaces */