System File Permissions & Owners Changes
In this example, we report and undo unauthorized and/or unexpected system file permissions and owners changes. Such changes might be due to innocent sysadmin activity, malicious hacker actions, or perhaps some automated process or some other glitch changing ownerships and permissions in ways unexpected.
The FilesSystemPermissionsOwnersChanges script might send an alert message like the following:
PIKT ALERT
Wed Sep 20 19:02:29 2006
rouen
CRITICAL:
FilesSystemPermissionsOwnersChanges
Report unauthorized and/or unexpected permissions & ownerships changes
of system files
/etc/passwd mode 100666 is wrong, changed to 644
/etc/group mode 100666 is wrong, changed to 644
...
/etc/shadow uid 500 is wrong, changed to 0
/etc/shadow gid 500 is wrong, changed to 0
...
The script follows.
FilesSystemPermissionsOwnersChanges
init
status =piktstatus
level =piktlevel
task "Report unauthorized and/or unexpected permissions & ownerships
changes of system files"
input file "=files_system_obj"
dat $fil 1
// not needed dat $prm 2
dat $mod 3
dat #uid 4
dat #gid 5
// not needed dat $own 6
// not needed dat $grp 7
#ifdef verbose
keys $fil
#endifdef
rule // report nonexistence elsewhere
if ! -e $fil
next
endif
rule // stat the file
set $filmode = $filemode($fil)
set #filuid = #fileuid($fil)
set #filgid = #filegid($fil)
rule // compare modes
if $filmode !~ $mod
=execwait "=chmod $mod $fil"
#ifdef quiet
output syslog "$fil mode $filmode is wrong,
changed to $mod"
#elsifdef verbose
output mail "$fil mode $filmode is wrong" .
$if(#defined(%filmode), " (was %filmode),", ",") .
" changed to $mod"
#elsedef
output mail "$fil mode $filmode is wrong,
changed to $mod"
#endifdef
endif
rule // compare uids
if #filuid != #uid
=execwait "=chown $text(#uid) $fil"
#ifdef quiet
output syslog "$fil uid $text(#filuid) is wrong,
changed to $text(#uid)"
#elsifdef verbose
output mail "$fil uid $text(#filuid) is wrong" .
$if(#defined(%filuid), " (was $text(%filuid)),", ",") .
" changed to $text(#uid)"
#elsedef
output mail "$fil uid $text(#filuid) is wrong,
changed to $text(#uid)"
#endifdef
endif
rule // compare gids
if #filgid != #gid
=execwait "=chgrp $text(#gid) $fil"
#ifdef quiet
output syslog "$fil gid $text(#filgid) is wrong,
changed to $text(#gid)"
#elsifdef verbose
output mail "$fil gid $text(#filgid) is wrong" .
$if(#defined(%filgid), " (was $text(%filgid)),", ",") .
" changed to $text(#gid)"
#elsedef
output mail "$fil gid $text(#filgid) is wrong,
changed to $text(#gid)"
#endifdef
endif
#ifdef debug
rule
if #innum() == 20
quit
endif
#endifdef
FilesSystemPermissionsOwnersChanges refers to the =files_system_obj macro, which resolves to the file FilesSystem.obj. A typical line from that file would be
/etc/passwd -rw-r--r-- 644 0 0 root root
Note how, if we install this script in quiet mode, we silently log the chowns and chmods to syslog. Otherwise, in verbose (or default) mode, we send alert e-mail.
If we install this script with the define doexec set to FALSE, =execwait (see exec_process_macros.cfg) resolves to 'output mail'. Otherwise, with doexec set to TRUE, =execwait resolves to 'exec wait'. By means of this PIKT define, we can control whether the FilesSystemPermissionsOwnersChanges script actually undoes changes or instead just reports PIKT's intent to undo them. Until you are comfortable with your setup (the script, including any special rules you might add, together with its tweaked objects files), you might prefer to run this in doexec FALSE mode and report only. (It can be quite maddening for Pikt scripts to persist in undoing legitimate changes, so be careful before having PIKT apply auto-fixes.)
Here is a generalized script macro version of this script, and one written in a more "modern" PIKT style (versions 1.19.0 and later).
This is just one program example. You might also write scripts to monitor system directory permissions and ownerships (for example, dirs_system_permissions_owners_changes_alarms.cfg) or other file or directory stats.
For more examples, see Samples.
