PIKT

Samples: Ctime Changes

PIKT Logo
Home FAQ News Intro Samples Tutorial Reference Software Authors Licensing SiteSearch

Computer Magazines at Amazon.com

Information Management & Computer Security
Information Management & Computer Security

Information Security Technical Report
Information Security Technical Report

Computers & Security
Computers & Security

Security Administrator
Security Administrator

Computer Security Journal
Computer Security Journal

In this example, we report changes in system file and directory ctimes.

The FileCtimeChangeWarning script might send an alert message like the following:

-------------------------------------------------------------------------------

                                PIKT ALERT
                         Sat Mar 13 03:17:24 2004
                                  cadiz

WARNING:
    FileCtimeChangeWarning
        Report ctime-changed files and subdirectories in system
               directories that should be unchanging

        /lib/security/pam_lastlog.so: ELF 32-bit LSB shared object, Intel 80386,
                                      version 1 (SYSV), not stripped
        -rwxr-xr-x  1 root root  11757 Mar 13 01:19 /lib/security/pam_lastlog.so

-------------------------------------------------------------------------------
The script follows.

///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////

FileCtimeChangeWarning  // this alarm does not consider /dev and other
                        // special directories; deal with those cans of worms
                        // in a separate alarm

        init
                status active
                level warning
                task "Report ctime-changed files and subdirectories in system
                      directories that should be unchanging"
                input proc "=find /bin /boot /etc /lib /opt /sbin /usr -ctime -1"

        rule    // skip, don't bother to report/log
                if    (    $inlin =~ "/tmp$"
                        || $inlin =~ "/tmp/"
                      )
        //         && -d $inlin
                        next
                endif

#ifndef paranoid
        rule    // skip, don't bother to report/log
                if    // $inlin =~ "log$" && 
                      $command("=file $inlin") =~~ "fifo|text|data|empty file|
                                                    directory"
                        next
                endif
#endifdef  // paranoid

        rule
                set $filetype = $command("=file $inlin")
                set $listing = $command("=lld -c $inlin")
                output mail $filetype
                output mail $listing
                output mail =newline
#ifdef worried
                output log "=filectimechange_log" $filetype
                output log "=filectimechange_log" $listing
#endifdef  // worried

///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////
This is just one program example.  You could add rules, or write new scripts, for example to report:  ctime changes in system device files, and other critical files and directories.

[For more examples, see Samples.]

Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software | Authors | Licensing | SiteSearch
Links | SiteIndex | Pikt-Users | Pikt-Workers | Contribute | ContactUs | Top of Page
Page best viewed at 1024x768.   Page last updated 2005-06-22.
This site is PIKT® powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund.  All rights reserved.

Computer Books at Amazon.com

Sockets, Shellcode, Porting, & Coding
Sockets, Shellcode, Porting, & Coding

Hack Attacks Denied
Hack Attacks Denied

Apache Security
Apache Security

Ethereal Packet Sniffing
Ethereal Packet Sniffing

Linux Firewalls
Linux Firewalls