PIKT

Samples: Checksum Differences

PIKT Logo
Home FAQ News Intro Samples Tutorial Reference Software Authors Licensing SiteSearch


In this example, we report checksum differences for certain critical system files.

The ChecksumDifferenceCritical script might send an alert message like the following:

-------------------------------------------------------------------------------

                                PIKT ALERT
                         Sat Oct  6 14:31:05 2002
                                 cologne

CRITICAL:
    ChecksumDifferenceCritical
        Report checksum differences for certain critical system files.

        /usr/sbin/login checksums differ!
            auth:   63605c254a6a9928b8075963c951dbbf 29144 /usr/sbin/login
            actual: 938a4ca4a6dd7b8665faa4cde6a83f73 29356 /usr/sbin/login

-------------------------------------------------------------------------------
ChecksumDifferenceCritical makes reference to the =checksums_obj macro, which resolves to the name of the Checksums.obj file.  The script follows.

///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////

ChecksumDifferenceCritical

        init
                status active
                level critical
                task "Report checksum differences for critical system files."
                input file "=checksums_obj"
                // dat $csauth 1        // not used
                // dat $szauth 2        // not used
                dat $name   3

        rule
                if ! -e $name
                        output mail "$name not found!"
                else
#ifdef setup
                        output "$checksum(5, $name):=pikthostname" // MD5 checksum
#elsedef
                        set $actual = $checksum(5, $name)          // MD5 checksum
                        if $inlin ne $actual
                                output mail "$name checksums differ!"
                                output mail "    auth:   $inlin"
                                output mail "    actual: $actual"
                        fi
#endifdef
                endif

///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////
This is just one program example.  You could add rules, or write new scripts, for example to:  review log files, report attempted break-ins, report and auto-fix improperly set file and directory ownerships and permissions, report suspicious user activity, monitor the timely application of security patches, find and report rootkits, report unexpected changes in the system configuration--the list goes on and on.

[For more examples, see Samples.]


Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software | Authors | Licensing | SiteSearch
Links | SiteIndex | Pikt-Users | Pikt-Workers | Contribute | ContactUs | Top of Page
Page best viewed at 1024x768.   Page last updated 2005-06-22.
This site is PIKT® powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund.  All rights reserved.

Computer Books at Amazon.com

Computer Network Security
Computer Network Security

SSH, The Secure Shell: The Definitive Guide
SSH, The Secure Shell: The Definitive Guide

Linux Security for Large-Scale Enterprise Networks
Linux Security for Large-Scale Enterprise Networks

Know Your Enemy: Learning about Security Threats
Know Your Enemy: Learning about Security Threats

Anti-Hacker Tool Kit
Anti-Hacker Tool Kit