System Directory Owners & Permissions Changes

In this example, we report and fix unauthorized and/or unexpected system directory owners and permissions changes.  Such changes might result from innocent sysadmin maintenance, malicious hacker activity, or perhaps some glitch or automated process changing permissions and ownerships in unexpected ways.

The DirsSystemPermissionsOwnersChanges script might send an alert message like the following:

                                PIKT ALERT
                         Fri Sep 22 20:28:45 2006
                                  calais

CRITICAL:
    DirsSystemPermissionsOwnersChanges
        Report unauthorized and/or unexpected permissions & ownerships changes
        of system directories

        /usr/sbin mode 040777 is wrong, changed to 755
        ...
        /usr/lib uid 200 is wrong, changed to 0
        /usr/lib gid 200 is wrong, changed to 0
        ...

The script follows.

DirsSystemPermissionsOwnersChanges

        init
                status =piktstatus
                level =piktlevel
                task "Report unauthorized and/or unexpected permissions & ownerships
                      changes of system directories"
                input file "=dirs_system_obj"
                dat $dir 1
// not needed   dat $prm 2
                dat $mod 3
                dat #uid 4
                dat #gid 5
// not needed   dat $own 6
// not needed   dat $grp 7
#ifdef verbose
                keys $dir
#endifdef

        rule    // report nonexistence elsewhere
                if ! -e $dir
                        next
                endif

        rule    // stat the directory
                set $dirmode = $filemode($dir)
                set #diruid = #fileuid($dir)
                set #dirgid = #filegid($dir)

        rule    // compare modes
                if $dirmode !~ $mod
                        =execwait "=chmod $mod $dir"
#ifdef quiet
                        output syslog "$dir mode $dirmode is wrong,
                                       changed to $mod"
#elsifdef verbose
                        output mail "$dir mode $dirmode is wrong" .
                                    $if(#defined(%dirmode), " (was %dirmode),", ",") .
                                    " changed to $mod"
#elsedef
                        output mail "$dir mode $dirmode is wrong,
                                     changed to $mod"
#endifdef
                endif

        rule    // compare uids
                if #diruid != #uid
                        =execwait "=chown $text(#uid) $dir"
#ifdef quiet
                        output syslog "$dir uid $text(#diruid) is wrong,
                                       changed to $text(#uid)"
#elsifdef verbose
                        output mail "$dir uid $text(#diruid) is wrong" .
                                    $if(#defined(%diruid), " (was $text(%diruid)),", ",") .
                                    " changed to $text(#uid)"
#elsedef
                        output mail "$dir uid $text(#diruid) is wrong,
                                     changed to $text(#uid)"
#endifdef
                endif

        rule    // compare gids
                if #dirgid != #gid
                        =execwait "=chgrp $text(#gid) $dir"
#ifdef quiet
                        output syslog "$dir gid $text(#dirgid) is wrong,
                                       changed to $text(#gid)"
#elsifdef verbose
                        output mail "$dir gid $text(#dirgid) is wrong" .
                                    $if(#defined(%dirgid), " (was $text(%dirgid)),", ",") .
                                    " changed to $text(#gid)"
#elsedef
                        output mail "$dir gid $text(#dirgid) is wrong,
                                     changed to $text(#gid)"
#endifdef
                endif

#ifdef debug
        rule
                if #innum() == 20
                        quit
                endif
#endifdef

DirsSystemPermissionsOwnersChanges refers to the =dirs_system_obj macro, which resolves to the file DirsSystem.obj.  A line from that file would look like

/usr/sbin drwxr-xr-x 755 0 0 root root

Note how, if we install this script in quiet mode, we silently log the chmods and chowns to syslog.  Otherwise, in verbose (or default) mode, we send alert e-mail.  You might prefer quiet mode, at least initially (until your setup is fine-tuned), to avoid possibly being deluged with problem messages.

If we install this script with the define doexec set to FALSE, =execwait (see exec_process_macros.cfg) resolves to 'output mail'.  Otherwise, with doexec set to TRUE, =execwait resolves to 'exec wait'.  By this means, we can control whether the DirsSystemPermissionsOwnersChanges script actually undoes changes or instead just reports PIKT's intent to undo them.  Until you are comfortable with your setup (the script, including any special rules you might add, together with its tweaked objects files), you might prefer to run this in doexec FALSE mode and report only.  (It can be quite maddening for Pikt scripts to persist in undoing legitimate changes, especially if they break functionality, so be careful before having PIKT apply automatic fixes.)

Here is a generalized script macro version of this script, and one written in a more "modern" PIKT style (versions 1.19.0 and later).

This is just one program example.  You might also write scripts to report and fix system file ownerships and permissions changes (for example, files_system_permissions_owners_changes_alarms.cfg) or changes to other file or directory stats.

For more examples, see Samples.