PIKT

Samples: New Startup Scripts

PIKT Logo
Home FAQ News Intro Samples Tutorial Reference Software Authors Licensing SiteSearch


In this example, we report new system startup scripts--signs of possible hacker activity.

The NewSystemStartupScriptUrgent script might send an alert message like the following:

-------------------------------------------------------------------------------

                                PIKT ALERT
                         Thu Feb 19 06:35:45 2004
                                  naples

URGENT:
    NewSystemStartupScriptUrgent
        Report new system startup scripts

        new system startup script: /etc/init.d/rsysd
        new system startup script: /etc/init.d/rc1.d/S18rsysd
        new system startup script: /etc/init.d/rc2.d/S18rsysd
        new system startup script: /etc/init.d/rc3.d/S18rsysd
        new system startup script: /etc/init.d/rc4.d/S18rsysd
        new system startup script: /etc/init.d/rc5.d/S18rsysd

-------------------------------------------------------------------------------
The script follows.

///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////

NewSystemStartupScriptUrgent

        init
                status active
                level urgent
                task "Report new system startup scripts"
                input proc "=find /etc/init.d -print"
                dat $name 1
                keys $name

        rule
                set $state = "+"
                if $state ne %state
                        output mail "new system startup script: $inlin"
                endif

        end
                set $state = "-"

///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////
This is just one program example.  You could add rules, or write new scripts, for example to report:  disappearing system startup files, startup script file size, ownership, and permissions changes, etc.  In the case of modified startup scripts, it would be entirely possible also to report diffs between the old and the new directly in the alert message.

[For more examples, see Samples.]

Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software | Authors | Licensing | SiteSearch
Links | SiteIndex | Pikt-Users | Pikt-Workers | Contribute | ContactUs | Top of Page
Page best viewed at 1024x768.   Page last updated 2005-06-22.
This site is PIKT® powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund.  All rights reserved.

Computer Books at Amazon.com

Hack Attacks Revealed
Hack Attacks Revealed

Anti-Hacker Tool Kit
Anti-Hacker Tool Kit

Introduction to Computer Security
Introduction to Computer Security

Building Firewalls with OpenBSD and PF
Building Firewalls with OpenBSD and PF

The Art of Deception
The Art of Deception