Rootcheck

OSSEC HIDS will perform rootkit detection on every system where the agent is installed. The rootcheck (rootkit detection engine) will be executed every X minutes (user specified - by default every 2 hours) to detect any possible rootkit installed. Used with the log analysis and the integrity checking engine, it will become a very powerful monitoring solution.

Checks that rootcheck performs

  1. Read the rootkit_files.txt which contains a database of rootkits and files commonly used by them. It will try to stats, fopen and opendir each specified file. We use all these system calls because some kernel-level rootkits hide files from some system calls. The more system calls we try, the better the detection. This method is more like an anti-virus rule that needs to be updated constantly. The chances of false-positives are small, but false negatives can be produced by modifying the rootkits.

  2. Read the rootkit_trojans.txt which contains a database of signatures of files trojaned by rootkits. This technique of modifying binaries with trojaned versions was commonly used by most of the popular rootkits available. This detection method will not find any kernel level rootkit or any unknown rootkit.

  3. Scan the /dev directory looking for anomalies. The /dev should only have device files and the Makedev script. A lot of rootkits use the /dev to hide files. This technique can detect even non-public rootkits.

  4. Scan the whole filesystem looking for unusual files and permission problems. Files owned by root, with write permission to others are very dangerous, and the rootkit detection will look for them. Suid files, hidden directories and files will also be inspected.

  5. Look for the presence of hidden processes. We use getsid() and kill() to check if any pid is being used or not. If the pid is being used, but “ps” can’t see it, it is the indication of kernel-level rootkit or a trojaned version of “ps”. We also verify that the output of kill and getsid are the same.

  6. Look for the presence of hidden ports. We use bind() to check every tcp and udp port on the system. If we can’t bind to the port (it’s being used), but netstat does not show it, we probably have a rootkit installed

  7. Scan all interfaces on the system and look for the ones with “promisc” mode enabled. If the interface is in promiscuous mode, the output of “ifconfig” should show that. If not, we probably have a rootkit installed.

Configuration options

These configuration options can be specified in each agent’s ossec.conf, except auto_ignore and alert_new_file which are manager side options. If the ignore option is specified on the manager the setting becomes global for all agents.

  • base_directory

    The base directory that will be appended to the following options:

    • rootkit_files

    • rootkit_trojans

    • windows_malware

    • windows_audit

    • windows_apps

    • systems_audit

    Allowed: Path to a directory Default: /var/ossec

  • rootkit_files

    This option can be used to change the location of the rootkit files database.

    Allowed: A file with the rootkit files signatures

    Default: /etc/shared/rootkit_files.txt

  • rootkit_trojans

    This option can be used to change the location of the rootkit trojans database.

    Default: /etc/shared/rootkit_trojans.txt

    Allowed: A file with the trojans signatures

  • windows_audit

  • system_audit

  • windows_apps

  • windows_malware

  • scanall

    Tells rootcheck to scan the whole system (may lead to some false positives).

    Default: no

    Allowed: yes/no

  • frequency

    Frequency that the rootcheck is going to be executed (in seconds).

    Defaults: 36000 (10 hours)

    Allowed: Time (in seconds)

  • disabled

    Disables the execution of rootcheck.

    Default: no

    Allowed: yes/no

  • check_dev

    Enable or disable the checking for files in the `/dev` filesystem

    Default: yes

    Allowed: yes or no

  • check_files

    Enable or disable the checking based on the rootkit files

    Default: yes

    Allowed: yes or no

  • check_if

    Enable or disable the checking the network interfaces

    Default: yes

    Allowed: yes or no

  • check_pids

    Enable or disable the checking of process IDs

    Default: yes

    Allowed: yes or no

  • check_ports

    Enable or disable the checking of network ports.

    Default: yes

    Allowed: yes or no

  • check_sys

    Enable or disable the checking the filesystem looking for possible issues

    Default: yes

    Allowed: yes or no

  • check_trojans

    Enable or disable the checking of trojans.

    Default: yes

    Allowed: yes or no

  • check_unixaudit

    Enable or disable the checking of unix issues

    Default: yes

    Allowed: yes or no

  • check_winapps

    Enable or disable the checking of Windows apps

    Default: yes

    Allowed: yes or no

  • check_winaudit

    Enable or disable the checking of Windows issues

    Default: 1

    Allowed: 1 or 0

  • check_winmalware

    Enable or disable the checking of Windows malware.

    Default: yes

    Allowed: yes or no

  • skip_nfs

    Added in version 2.9.0.

    Specifies if rootcheck should scan network mounted filesystems. Works on Linux and FreeBSD. Currently skip_nfs will abort checks running against CIFS or NFS mounts.

    Default: no

    Allowed: yes/no

    Note

    This option was added in OSSEC 2.9.0.