PIKT

Samples: Wtmp Changes

PIKT Logo
Home FAQ News Intro Samples Tutorial Reference Software Authors Licensing SiteSearch


In this example, we report suspicious wtmp changes.

The WtmpChangeCritical script might send an alert message like the following:

-------------------------------------------------------------------------------

                                PIKT ALERT
                         Fri Aug 22 08:56:31 2003
                                 athens2

CRITICAL:
    WtmpChangeCritical
        Report suspicious wtmp changes

        wtmp changed access, was -rw-rw-r--, is now -rw-rw-rw-!
        wtmp has shrunk in size, was 238464 bytes, is now 1169 bytes!

-------------------------------------------------------------------------------
The script follows.

///////////////////////////////////////////////////////////////////////////////
//
// security_alarms.cfg
//
///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////

WtmpChangeCritical

        init
                status active
                level critical
                task "Report suspicious wtmp changes"
                input proc "=ll =wtmp"
                =lldata
                keys $name

        rule    // file not found
                if ! -e $name
                        output mail "=wtmp not found!"
                        quit
                fi

        rule    // changed access
                if    #defined(%access)
                   && $access ne %access
                        output mail "=wtmp changed access, was %access,
                                     is now $access!"
                fi

        rule    // changed owner
                if    #defined(%owner)
                   && $owner ne %owner
                        output mail "=wtmp changed owner, was %owner,
                                     is now $owner!"
                fi

        rule    // changed group
                if    #defined(%group)
                   && $group ne %group
                        output mail "=wtmp changed group, was %group,
                                     is now $group!"
                fi

        rule    // shrunk
                if    #defined(%size)
                   && #size < %size
                        output mail "=wtmp has shrunk in size,
                                     was $text(%size) bytes,
                                     is now $text(#size) bytes!"
                fi

///////////////////////////////////////////////////////////////////////////////

[other alarms omitted...]

///////////////////////////////////////////////////////////////////////////////
This is just one program example.  You could add rules, or write new scripts, for example to report unexpected changes in:  the wtmpx file, or other critical system files.

[For more examples, see Samples.]


Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software | Authors | Licensing | SiteSearch
Links | SiteIndex | Pikt-Users | Pikt-Workers | Contribute | ContactUs | Top of Page
Page best viewed at 1024x768.   Page last updated 2005-06-22.
This site is PIKT® powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund.  All rights reserved.

Computer Books at Amazon.com

The Art of Intrusion
The Art of Intrusion

Linux Security for Large-Scale Enterprise Networks
Linux Security for Large-Scale Enterprise Networks

Linux iptables Pocket Reference
Linux iptables Pocket Reference

Network Security: A Practical Approach
Network Security: A Practical Approach

Know Your Enemy: Learning about Security Threats
Know Your Enemy: Learning about Security Threats