Root Crontab Changes
Last summer, we had a couple of security incidents involving root crontab changes (among other things). Since then, we have been watching the crontabs rather closely. For a time, whenever a root crontab appeared to have changed, because PIKT reported a change in its timestamp or size, the PIKT alert would show the latest crontab in its entirety.
Good, except that on some systems, the timestamp was being updated daily, evidently because some automated process was rewriting the crontab regularly. And on those systems, every day we would have to inspect the crontab. In almost every case, there was no change, else the change was small and hard to discern.
If the timestamp changes, what if instead of dumping the entire crontab we diff it against the previous day's version? A revised CrontabChkWarning was the result:
CrontabChkWarning init status active level warning task "Check for crontab anomalies" input proc "=ll =crontabs | =behead" =lldata keys $name rule // initialize for current crontab set #changed = #false() rule // changed size? if #defined(%size) && #size != %size set #changed = #true() output mail "$name has changed size to $text(#size), was $text(%size)" endif rule // changed timestamp? if #defined(%time) && $time ne %time set #changed = #true() output mail "$name has changed timestamp to $mon $date $time, was %mon %date %time" endif rule // if changed, and we have a backup of the previous // crontab, diff the current against the previous, // else dump the current crontab if #changed if -e "=hstdir/crontabs/$name" do #popen(DIFF, "=diff =hstdir/crontabs/$name =crontabs/$name", "r") while #read(DIFF) > 0 output mail $rdlin endwhile do #pclose(DIFF) output mail =newline else do #fopen(CRONTAB, "=crontabs/$name", "r") while #read(CRONTAB) > 0 output mail $rdlin endwhile do #fclose(CRONTAB) output mail =newline endif endif rule // save current crontab in the histories/crontabs directory if ! -d "=hstdir/crontabs" exec wait "=mkdir =hstdir/crontabs; =chmod 750 =hstdir/crontabs" endif exec wait "cp -p =crontabs/$name =hstdir/crontabs" rule // report if oddly-named if $command("=egrep " . $squote() . "^?$name:" . $squote() . " /etc/passwd") eq "" && $command("=ypmatch $name passwd 2>/dev/null") eq "" output mail "no such acct: $inlin=newline" endif rule // report if non-root owner if $owner ne "root" #ifndef generic # if db && $owner ne "ingres" # endif #endifdef output mail "suspicious ownership: $inlin=newline" do #fopen(CRONTAB, "=crontabs/$name", "r") while #read(CRONTAB) > 0 output mail " $rdlin" endwhile do #fclose(CRONTAB) output mail =newline endif
We added three new rules: the first, where we initialize a new variable, #changed; the fourth, where we diff the current and previous crontab; and the fifth, where we save the current crontab in the histories/crontab directory. Note also the modifications to the second and third rules, where we set #changed to #true() if we detect crontab changes.
So, on a typical system, here are the contents of our /pikt/var/histories:
warsaw 508) find /pikt/var/histories -print /pikt/var/histories /pikt/var/histories/EMERGENCY.hst /pikt/var/histories/Debug.hst /pikt/var/histories/Urgent.hst /pikt/var/histories/Critical.hst /pikt/var/histories/Warning.hst /pikt/var/histories/Info.hst /pikt/var/histories/Notice.hst /pikt/var/histories/crontabs /pikt/var/histories/crontabs/adm /pikt/var/histories/crontabs/lp /pikt/var/histories/crontabs/root /pikt/var/histories/crontabs/sys /pikt/var/histories/crontabs/uucp
So, you see that your var/histories directory is a natural place to store earlier versions of files, not just .hst files, that you want to compare with their current versions.
Now we still get alerts when crontabs change their timestamp or size, but we
just see their diffs, if any.
For more examples, see Developer's Notes.