In this example, we report new system startup scripts--signs of possible hacker activity.
The NewSystemStartupScriptUrgent script might send an alert message like the following:
-------------------------------------------------------------------------------
PIKT ALERT
Thu Feb 19 06:35:45 2004
naples
URGENT:
NewSystemStartupScriptUrgent
Report new system startup scripts
new system startup script: /etc/init.d/rsysd
new system startup script: /etc/init.d/rc1.d/S18rsysd
new system startup script: /etc/init.d/rc2.d/S18rsysd
new system startup script: /etc/init.d/rc3.d/S18rsysd
new system startup script: /etc/init.d/rc4.d/S18rsysd
new system startup script: /etc/init.d/rc5.d/S18rsysd
-------------------------------------------------------------------------------
The script follows.
///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
NewSystemStartupScriptUrgent
init
status active
level urgent
task "Report new system startup scripts"
input proc "=find /etc/init.d -print"
dat $name 1
keys $name
rule
set $state = "+"
if $state ne %state
output mail "new system startup script: $inlin"
endif
end
set $state = "-"
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
This is just one program example. You could add rules, or write new scripts, for example to report: disappearing system startup files, startup script file size, ownership, and permissions changes, etc. In the case of modified startup scripts, it would be entirely possible also to report diffs between the old and the new directly in the alert message.
[For more examples, see Samples.]
Home |
FAQ |
News |
Intro |
Samples |
Tutorial |
Reference |
Software |
Authors |
Licensing |
SiteSearch
Links |
SiteIndex |
Pikt-Users |
Pikt-Workers |
Contribute |
ContactUs |
Top of Page
Page best viewed at 1024x768.
Page last updated 2005-06-22.
This site is
PIKT®
powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund. All rights reserved.
|