In this example, we report checksum differences for certain critical system files.
The ChecksumDifferenceCritical script might send an alert message like the following:
-------------------------------------------------------------------------------
PIKT ALERT
Sat Oct 6 14:31:05 2002
cologne
CRITICAL:
ChecksumDifferenceCritical
Report checksum differences for certain critical system files.
/usr/sbin/login checksums differ!
auth: 63605c254a6a9928b8075963c951dbbf 29144 /usr/sbin/login
actual: 938a4ca4a6dd7b8665faa4cde6a83f73 29356 /usr/sbin/login
-------------------------------------------------------------------------------
ChecksumDifferenceCritical makes reference to the =checksums_obj macro, which resolves to the name of the Checksums.obj file. The script follows.
///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
ChecksumDifferenceCritical
init
status active
level critical
task "Report checksum differences for critical system files."
input file "=checksums_obj"
// dat $csauth 1 // not used
// dat $szauth 2 // not used
dat $name 3
rule
if ! -e $name
output mail "$name not found!"
else
#ifdef setup
output "$checksum(5, $name):=pikthostname" // MD5 checksum
#elsedef
set $actual = $checksum(5, $name) // MD5 checksum
if $inlin ne $actual
output mail "$name checksums differ!"
output mail " auth: $inlin"
output mail " actual: $actual"
fi
#endifdef
endif
///////////////////////////////////////////////////////////////////////////////
[other alarms omitted...]
///////////////////////////////////////////////////////////////////////////////
This is just one program example. You could add rules, or write new scripts, for example to: review log files, report attempted break-ins, report and auto-fix improperly set file and directory ownerships and permissions, report suspicious user activity, monitor the timely application of security patches, find and report rootkits, report unexpected changes in the system configuration--the list goes on and on.
[For more examples, see Samples.]
Home |
FAQ |
News |
Intro |
Samples |
Tutorial |
Reference |
Software |
Authors |
Licensing |
SiteSearch
Links |
SiteIndex |
Pikt-Users |
Pikt-Workers |
Contribute |
ContactUs |
Top of Page
Page best viewed at 1024x768.
Page last updated 2005-06-22.
This site is
PIKT®
powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund. All rights reserved.
|