System File Size Changes
In this example, we report unusual system file size changes.
The SystemFileSizeChange script might send an alert message like the following:
PIKT ALERT
Fri Oct 12 10:26:26 2001
antwerp
URGENT:
SystemFileSizeChange
Report unusual system file size changes
the size of /etc/passwd has changed drastically, was 2321 bytes, is now 1146 bytes
SystemFileSizeChange makes reference to the =files_system_obj macro, which resolves to the name of the FilesSystem.obj file. The script follows.
SystemFileSizeChange
init
status =piktstatus
level =piktlevel
task "Report unusual system file size changes"
input proc "=cat =files_system_obj | =awk '{print $1}'"
dat $name 1
keys $name
begin
set #pctdiff = 10% // the percentage difference beyond
// which we signal a potential problem
rule
if -e $name
set #size = #filesize($name)
else
output mail "$name not found!"
set #size = 0
next
endif
rule // bypass size check for these files
if $name =~ "/etc/mnttab|=alerts|=piktd_lok|=piktc_svc_lok"
next
endif
rule
if =deviated(size, #pctdiff)
if %size == 0
output mail "$name was non-existent or 0 bytes
(or is a new addition to the files
list), is now $text(#size) bytes"
else
if #defined(%size)
output mail "the size of $name has changed
drastically, was $text(%size)
bytes, is now
$text(#size) bytes"
endif
endif
endif
end // %size reference for new file additions next time
set #size = 0
This is just one program example. You could add rules, or write new scripts, for example to: report system files that you don't want (such as startup files), report changes in modification times or link counts, report outdated files that should be updating regularly, report and possibly also rm core files, etc.
For more examples, see Samples.
