PIKT

Samples: Mtime Changes

PIKT Logo
Home FAQ News Intro Samples Tutorial Reference Software Authors Licensing SiteSearch

Computer Magazines at Amazon.com

Information Security Technical Report
Information Security Technical Report

Computers & Security
Computers & Security

Computer Security Journal
Computer Security Journal

Information Systems Security
Information Systems Security

Security Administrator
Security Administrator

In this example, we report changes in system file and directory mtimes.

The FileMtimeChangeWarning script might send an alert message like the following:

-------------------------------------------------------------------------------

                                PIKT ALERT
                         Mon Dec 29 02:09:52 2003
                                sheffield

WARNING:
    FileMtimeChangeWarning
        Report mtime-changed files and subdirectories in system directories

        -rwxr-xr-x  1 root   root    52269 Dec 28  2003 /usr/sbin/iptables
        -rwxr-xr-x  1 root   root    56277 Dec 28  2003 /usr/sbin/iptables-restore
        -rwxr-xr-x  1 root   root    55793 Dec 28  2003 /usr/sbin/iptables-save 
        ...

-------------------------------------------------------------------------------
The script follows.

///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////

FileMtimeChangeWarning

        init
                status active
                level warning
                task "Report mtime-changed files and subdirectories
                      in system directories"
                input file "=objdir/DirsSystem.obj"

        begin   // first check integrity of the find command
                set $findchksum = $checksum(5, "=find")
                if    #defined(%findchksum)
                   && $findchksum ne %findchksum
                        output mail "=find has changed checksum to $findchksum,
                                     was %findchksum"
                        // quit
                endif
                if =monday
                        set $mtime = "-3"       // find files modified over
                                                // the weekend (last 3 days)
                else
                        set $mtime = "-2"       // find files modified within
                                                // the last two days
                endif

        rule
                if -d $inlin
#ifndef paranoid
                        =outputproc(mail, "=find $inlin -mtime $mtime
                                                        -exec =lld {}
                                    \\\\; | =egrep -iv 'log|\\\\.lock|\\\\.hst|
                                    \\\\.tmp|pipe|fifo|\\\\.pid|/dev/|/var/spool|
                                    /var/adm|/var/log|/var/run|/var/locks|/tmp|
                                    /xfn|mgr/.in/|mgr/.out|mnttab|rmtab|dumpdates|
                                    ntp\\\\.drift|binding|heartbeat|mailman|dfget|
                                    /var/pikt|/proc/|/Cache/|diffing|staging|
                                    .galeon|.gconf|.mozilla|\\\\.bak'")
#elsedef
                        =outputproc(mail, "=find $inlin -mtime $mtime
                                                 -exec =lld {} \\\\;")
#endifdef  // paranoid
                endif

///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////
This is just one program example.  You could add rules, or write new scripts, for example to:  report mtime changes in other critical files and directories, page systems administrators if especially critical files are reported to be changed, etc.

[For more examples, see Samples.]

Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software | Authors | Licensing | SiteSearch
Links | SiteIndex | Pikt-Users | Pikt-Workers | Contribute | ContactUs | Top of Page
Page best viewed at 1024x768.   Page last updated 2005-06-22.
This site is PIKT® powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund.  All rights reserved.

Computer Books at Amazon.com

Hacking Exposed: Network Security Secrets & Solutions
Hacking Exposed: Network Security Secrets & Solutions

Linux iptables Pocket Reference
Linux iptables Pocket Reference

Google Hacking for Penetration Testers
Google Hacking for Penetration Testers

Crackproof Your Software
Crackproof Your Software

Steal This Computer Book
Steal This Computer Book