In this example, we report changes in system file and directory mtimes.
The FileMtimeChangeWarning script might send an alert message like the following:
-------------------------------------------------------------------------------
PIKT ALERT
Mon Dec 29 02:09:52 2003
sheffield
WARNING:
FileMtimeChangeWarning
Report mtime-changed files and subdirectories in system directories
-rwxr-xr-x 1 root root 52269 Dec 28 2003 /usr/sbin/iptables
-rwxr-xr-x 1 root root 56277 Dec 28 2003 /usr/sbin/iptables-restore
-rwxr-xr-x 1 root root 55793 Dec 28 2003 /usr/sbin/iptables-save
...
-------------------------------------------------------------------------------
The script follows.
///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
FileMtimeChangeWarning
init
status active
level warning
task "Report mtime-changed files and subdirectories
in system directories"
input file "=objdir/DirsSystem.obj"
begin // first check integrity of the find command
set $findchksum = $checksum(5, "=find")
if #defined(%findchksum)
&& $findchksum ne %findchksum
output mail "=find has changed checksum to $findchksum,
was %findchksum"
// quit
endif
if =monday
set $mtime = "-3" // find files modified over
// the weekend (last 3 days)
else
set $mtime = "-2" // find files modified within
// the last two days
endif
rule
if -d $inlin
#ifndef paranoid
=outputproc(mail, "=find $inlin -mtime $mtime
-exec =lld {}
\\\\; | =egrep -iv 'log|\\\\.lock|\\\\.hst|
\\\\.tmp|pipe|fifo|\\\\.pid|/dev/|/var/spool|
/var/adm|/var/log|/var/run|/var/locks|/tmp|
/xfn|mgr/.in/|mgr/.out|mnttab|rmtab|dumpdates|
ntp\\\\.drift|binding|heartbeat|mailman|dfget|
/var/pikt|/proc/|/Cache/|diffing|staging|
.galeon|.gconf|.mozilla|\\\\.bak'")
#elsedef
=outputproc(mail, "=find $inlin -mtime $mtime
-exec =lld {} \\\\;")
#endifdef // paranoid
endif
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
This is just one program example. You could add rules, or write new scripts, for example to: report mtime changes in other critical files and directories, page systems administrators if especially critical files are reported to be changed, etc.
[For more examples, see Samples.]
Home |
FAQ |
News |
Intro |
Samples |
Tutorial |
Reference |
Software |
Authors |
Licensing |
SiteSearch
Links |
SiteIndex |
Pikt-Users |
Pikt-Workers |
Contribute |
ContactUs |
Top of Page
Page best viewed at 1024x768.
Page last updated 2005-06-22.
This site is
PIKT®
powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund. All rights reserved.
|