User Activity Example

Case Study 5: UserActivity

You can use PIKT's define feature to achieve precision control over your security setup.  Consider these security settings in defines.cfg: 

attentive   TRUE    // lowest level
                    // of security

cautious
#if misscritsys | cssys
            TRUE
#else
            FALSE
#endif

worried
#if misscritsys
            TRUE
#else
            FALSE
#endif

paranoid    FALSE   // highest level
                    // of security

Listing 10 shows how you might use them in an alarm to monitor suspicious, after-hours user activity (some per-OS customizations were omitted for brevity):
 

Listing 10: UserActivity

UserActivity

    init
        status active
        level critical
        task "Report and/or log suspicious after-hours activity."
        input proc "=w -hs"
        =wdata

    begin
        exec wait "=touch =useractivity_log"  // forced update
#ifdef worried // or paranoid
        if #false()             // never quit this alarm if we're
                                // worried (or paranoid); monitor
                                // activity at all hours
#elsedef
        if #hour() >= 8         // 8 AM to midnight only
#endifdef
            quit                // don't monitor, move on to next alarm
        endif

    rule
#ifdef worried // or paranoid
        if    #true()          // all users
#elsedef
#  if nonusersys
        if    #true()          // all users, on admin systems
#  else
        if    $user eq "root"  // root only, on user systems
#  endif
#endifdef
           && (    #length($idle) == 0
                || $idle =~ "^[0-9]+$"  // idle time in minutes,
                                        // not hours or days
              )
            // escalate notification at higher levels of security
            output log "=useractivity_log" $inline
#ifdef cautious // or worried or paranoid
            output syslog $inline
            output mail $inline
#endifdef
#ifdef worried // or paranoid
            output print $inline
#endifdef
#ifdef paranoid
            exec wait "echo '=pikthostname: $inlin' | =mailx -s \
                       '=pikthostname: $inlin' =pagesysadmins"
#endifdef
        endif

We can also apply these defines to the UserActivity.log file produced by the UserActivity alarm.  Here is a sample log entry: 

Aug 3 01:36:01 CRIT: root p0 1 -csh

Listing 11 shows the log monitoring script.
 

Listing 11: UserActivityLogChk

UserActivityLogChk

    init
        status active
        level critical
        task "Report all new security incidents in UserActivity log."
        input logfile "=useractivity_log"

#ifndef cautious // or worried or paranoid
    begin
        quit
#endifdef

#ifdef cautious // or worried or paranoid
    rule
        output syslog $inline
#endifdef

#ifdef worried // or paranoid
    rule
        output mail $inline
#elsedef // only cautious
    rule
        if $inline =~ "root"
            output mail $inline
        fi
#endifdef

#ifdef paranoid
    rule
        output print $inline
        // page also?
#endifdef

As security conditions change, we can generate more or fewer log entries by changing our security defines (from TRUE to FALSE, or vice-versa) for different systems, then using piktc to reinstall the modified scripts on those systems.  This gives us pinpoint control over our security setup.

prev page 1st page next page
 
Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software
Developer's Notes | Licensing | Authors | Pikt-Users | Pikt-Workers | Related Projects | Site Index | Privacy Policy | Contact Us
Page best viewed at 1024x768 or greater.   Page last updated 2010-04-15.   This site is PIKT® powered.
PIKT® is a registered trademark of the University of Chicago.   Copyright © 1998-2010 Robert Osterlund. All rights reserved.
Home FAQ News Intro Samples Tutorial Reference Software
PIKT Logo
PIKT Page Title
View sample
ctime
changes
Pikt script