User Activity Example
Case Study 5: UserActivity
You can use PIKT's define feature to achieve precision control over your security setup. Consider these security settings in defines.cfg:
attentive TRUE // lowest level
// of security
cautious
#if misscritsys | cssys
TRUE
#else
FALSE
#endif
worried
#if misscritsys
TRUE
#else
FALSE
#endif
paranoid FALSE // highest level
// of security
Listing 10 shows how you might use them in an alarm to monitor suspicious,
after-hours user activity (some per-OS customizations were omitted for
brevity):
Listing 10: UserActivity
UserActivity
init
status active
level critical
task "Report and/or log suspicious after-hours activity."
input proc "=w -hs"
=wdata
begin
exec wait "=touch =useractivity_log" // forced update
#ifdef worried // or paranoid
if #false() // never quit this alarm if we're
// worried (or paranoid); monitor
// activity at all hours
#elsedef
if #hour() >= 8 // 8 AM to midnight only
#endifdef
quit // don't monitor, move on to next alarm
endif
rule
#ifdef worried // or paranoid
if #true() // all users
#elsedef
# if nonusersys
if #true() // all users, on admin systems
# else
if $user eq "root" // root only, on user systems
# endif
#endifdef
&& ( #length($idle) == 0
|| $idle =~ "^[0-9]+$" // idle time in minutes,
// not hours or days
)
// escalate notification at higher levels of security
output log "=useractivity_log" $inline
#ifdef cautious // or worried or paranoid
output syslog $inline
output mail $inline
#endifdef
#ifdef worried // or paranoid
output print $inline
#endifdef
#ifdef paranoid
exec wait "echo '=pikthostname: $inlin' | =mailx -s \
'=pikthostname: $inlin' =pagesysadmins"
#endifdef
endif
We can also apply these defines to the UserActivity.log file produced by the UserActivity alarm. Here is a sample log entry:
Aug 3 01:36:01 CRIT: root p0 1 -csh
Listing 11 shows the log monitoring script.
Listing 11: UserActivityLogChk
UserActivityLogChk
init
status active
level critical
task "Report all new security incidents in UserActivity log."
input logfile "=useractivity_log"
#ifndef cautious // or worried or paranoid
begin
quit
#endifdef
#ifdef cautious // or worried or paranoid
rule
output syslog $inline
#endifdef
#ifdef worried // or paranoid
rule
output mail $inline
#elsedef // only cautious
rule
if $inline =~ "root"
output mail $inline
fi
#endifdef
#ifdef paranoid
rule
output print $inline
// page also?
#endifdef
As security conditions change, we can generate more or fewer log entries
by changing our security defines (from TRUE to FALSE, or vice-versa) for
different systems, then using piktc to reinstall the modified scripts on
those systems. This gives us pinpoint control over our security setup.
 prev page | 1st page | next page  |
