PIKT

Samples: Sulog Scan

PIKT Logo
Home FAQ News Intro Samples Tutorial Reference Software Authors Licensing SiteSearch


In this example, we do a sulog scan for signs of suspicious activity.

The SuLogScanEmergency script might send an alert message like the following:

-------------------------------------------------------------------------------

                                PIKT ALERT
                         Fri Nov  9 02:41:50 2002
                                  kiev

EMERGENCY:
    SuLogScanEmergency
        Scan the sulog for su-to-root by users other than sysadmins,
          or authorized system owners

        SU-TO-ROOT SUCCESS: SU 11/28 18:06 + pts/2 arthing-root

-------------------------------------------------------------------------------
The script follows.

///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////

SuLogScanEmergency

        init
                status active
                level emergency
                task "Scan the sulog for su-to-root by users other than
                      sysadmins, or authorized system owners"
                input logfile "=sulog"
                dat $date   2
                dat $time   3
                dat $result 4
                dat $port   5
                dat $users  6

        begin
                // assume no crisis (yet)
                set #crisis = #false()

        rule    // find $user and $newuser
                set #i = #index($users, "-")
                set $user = $substr($users,1,#i-1)
                set $newuser = $substr($users,#i+1)

        rule    // su-to-root success
                if    $newuser eq "root"
#  ifndef paranoid
                   && $user !~ "^(root|=sysadmins|mahler)$"
#    if db
                   && $user !~ "^(=dbadmins)$"
#    endif
                   && $user !~ "^(=sysowner)$"
#  endifdef
                   && $result eq "+"
                        set $msg = "SU-TO-ROOT SUCCESS: $inlin"
                        output mail $msg
                        output log "=sulogscan_log" $msg
                        set #crisis = #true()
                endif

        end
                if #crisis
                        // =page()
                endif

///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////
This is just one program example.  You could add rules, or write new scripts, for example to report:  su-to-root failures, su-to-other failures, etc.  You could also add rules to page the systems administrators, and so on.

[For more examples, see Samples.]

Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software | Authors | Licensing | SiteSearch
Links | SiteIndex | Pikt-Users | Pikt-Workers | Contribute | ContactUs | Top of Page
Page best viewed at 1024x768.   Page last updated 2005-06-22.
This site is PIKT® powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund.  All rights reserved.

Computer Books at Amazon.com

Know Your Enemy: Learning about Security Threats
Know Your Enemy: Learning about Security Threats

Hack Attacks Denied
Hack Attacks Denied

Apache Security
Apache Security

Ethereal Packet Sniffing
Ethereal Packet Sniffing

Hack Attacks Revealed
Hack Attacks Revealed