Feature request: Increase Rootcheck capability by adding more default paths and make it configurable

[MiguelCasaresRobles]

Wazuh version	Component	Install type	Install method	Platform
Latest	Rootcheck	Manager/Agent	Packages/Sources	Linux/Windows

Hello team,

I'm opening this issue to consider increasing Rootcheck malware detection capabilities. At this moment, those are the directories monitored by default: https://github.com/wazuh/wazuh/blob/master/src/rootcheck/check_rc_trojans.c#L26

It is not possible to configure Windows directories or more paths in Linux. Although it is possible to scan the whole system: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/rootcheck.html#scanall it is not giving enough flexibility to the user to configure its system.

It happens for the rootkits too: https://github.com/wazuh/wazuh/blob/master/src/rootcheck/check_rc_sys.c#L154

Reported by Johannes Segitz of SUSE

Regards,

Miguel Casares

[TomasTurina]

This issue applies for rootkit and malware detections.

Impact:

• Rootkit detections: Low, using scanall option user can scan the entire system to avoid missing alerts.
• Malware detections: Medium, scanall option doesn't apply for this scan.

Probability:

• Rootkit detections: Medium, if user wants to configure this it won't be possible.
• Malware detections: Medium, if user wants to configure this it won't be possible.

Cost to fix it:

• Rootkit detections: Medium, a new configuration option for rootkit detections should be added to read the paths that the user wants to monitor. By default, the configuration should have the paths that now are hardcoded.
• Malware detections: Medium, a new configuration option for malware detections should be added to read the paths that the user wants to monitor. By default, the configuration should have the paths that now are hardcoded.

Estimated time:

• 1-2 weeks / 1 person.