In this example, we report suspicious wtmp changes.
The WtmpChangeCritical script might send an alert message like the following:
-------------------------------------------------------------------------------
PIKT ALERT
Fri Aug 22 08:56:31 2003
athens2
CRITICAL:
WtmpChangeCritical
Report suspicious wtmp changes
wtmp changed access, was -rw-rw-r--, is now -rw-rw-rw-!
wtmp has shrunk in size, was 238464 bytes, is now 1169 bytes!
-------------------------------------------------------------------------------
The script follows.
///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
WtmpChangeCritical
init
status active
level critical
task "Report suspicious wtmp changes"
input proc "=ll =wtmp"
=lldata
keys $name
rule // file not found
if ! -e $name
output mail "=wtmp not found!"
quit
fi
rule // changed access
if #defined(%access)
&& $access ne %access
output mail "=wtmp changed access, was %access,
is now $access!"
fi
rule // changed owner
if #defined(%owner)
&& $owner ne %owner
output mail "=wtmp changed owner, was %owner,
is now $owner!"
fi
rule // changed group
if #defined(%group)
&& $group ne %group
output mail "=wtmp changed group, was %group,
is now $group!"
fi
rule // shrunk
if #defined(%size)
&& #size < %size
output mail "=wtmp has shrunk in size,
was $text(%size) bytes,
is now $text(#size) bytes!"
fi
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
This is just one program example. You could add rules, or write new scripts, for example to report unexpected changes in: the wtmpx file, or other critical system files.
[For more examples, see Samples.]
Home |
FAQ |
News |
Intro |
Samples |
Tutorial |
Reference |
Software |
Authors |
Licensing |
SiteSearch
Links |
SiteIndex |
Pikt-Users |
Pikt-Workers |
Contribute |
ContactUs |
Top of Page
Page best viewed at 1024x768.
Page last updated 2005-06-22.
This site is
PIKT®
powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund. All rights reserved.
|