In this example, we do a sulog scan for signs of suspicious activity.
The SuLogScanEmergency script might send an alert message like the following:
-------------------------------------------------------------------------------
PIKT ALERT
Fri Nov 9 02:41:50 2002
kiev
EMERGENCY:
SuLogScanEmergency
Scan the sulog for su-to-root by users other than sysadmins,
or authorized system owners
SU-TO-ROOT SUCCESS: SU 11/28 18:06 + pts/2 arthing-root
-------------------------------------------------------------------------------
The script follows.
///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
SuLogScanEmergency
init
status active
level emergency
task "Scan the sulog for su-to-root by users other than
sysadmins, or authorized system owners"
input logfile "=sulog"
dat $date 2
dat $time 3
dat $result 4
dat $port 5
dat $users 6
begin
// assume no crisis (yet)
set #crisis = #false()
rule // find $user and $newuser
set #i = #index($users, "-")
set $user = $substr($users,1,#i-1)
set $newuser = $substr($users,#i+1)
rule // su-to-root success
if $newuser eq "root"
# ifndef paranoid
&& $user !~ "^(root|=sysadmins|mahler)$"
# if db
&& $user !~ "^(=dbadmins)$"
# endif
&& $user !~ "^(=sysowner)$"
# endifdef
&& $result eq "+"
set $msg = "SU-TO-ROOT SUCCESS: $inlin"
output mail $msg
output log "=sulogscan_log" $msg
set #crisis = #true()
endif
end
if #crisis
// =page()
endif
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
This is just one program example. You could add rules, or write new scripts, for example to report: su-to-root failures, su-to-other failures, etc. You could also add rules to page the systems administrators, and so on.
[For more examples, see Samples.]
Home |
FAQ |
News |
Intro |
Samples |
Tutorial |
Reference |
Software |
Authors |
Licensing |
SiteSearch
Links |
SiteIndex |
Pikt-Users |
Pikt-Workers |
Contribute |
ContactUs |
Top of Page
Page best viewed at 1024x768.
Page last updated 2005-06-22.
This site is
PIKT®
powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund. All rights reserved.
|