Permissions & Owners Changes Macro
In this script macro example, we report and fix unauthorized and/or unexpected permissions and owners changes. Such changes might result from innocent sysadmin maintenance, malicious hacker activity, or perhaps some glitch or automated process changing permissions and ownerships in unexpected ways.
The =permissions_owners_changes() macro might send an alert message like the following:
PIKT ALERT Fri Sep 28 17:06:32 2007 barcelona CRITICAL: DirectoryPermissionsOwnersChanges Report unauthorized and/or unexpected permissions & ownerships changes /usr/sbin mode 040777 is wrong, was 040755, changed to 755 ... /usr/lib uid 200 is wrong, was 0, changed to 0 /usr/lib gid 200 is wrong, was 0, changed to 0 ...
The script macro follows.
permissions_owners_changes(OBJECTS) init status =piktstatus level =piktlevel task "Report unauthorized and/or unexpected permissions & ownerships changes" input file "(OBJECTS)" dat $obj 1 // not needed dat $prm 2 dat $mod 3 dat #uid 4 dat #gid 5 // not needed dat $own 6 // not needed dat $grp 7 rule // report nonexistence elsewhere if ! -e $obj next endif rule // stat the object set $objmode = $filemode($obj) set #objuid = #fileuid($obj) set #objgid = #filegid($obj) rule // compare modes if $objmode !~ $mod =execwait "=chmod $mod $obj" output mail "$obj mode $objmode is wrong" . $if(#defined(%objmode), " (was %objmode),", ",") . " changed to $mod" endif rule // compare uids if #objuid != #uid =execwait "=chown $text(#uid) $obj" output mail "$obj uid $text(#objuid) is wrong" . $if(#defined(%objuid), " (was $text(%objuid)),", ",") . " changed to $text(#uid)" endif rule // compare gids if #objgid != #gid =execwait "=chgrp $text(#gid) $obj" output mail "$obj gid $text(#objgid) is wrong" . $if(#defined(%objgid), " (was $text(%objgid)),", ",") . " changed to $text(#gid)" endif end quit
=permissions_owners_changes() refers to the (OBJECTS) argument, which resolves to a PIKT object file with lines like the following:
/usr/sbin drwxr-xr-x 755 0 0 root root
You would invoke the =permissions_owners_changes() script macro in your alarms.cfg (or one of its #include files) like so:
DirectoryPermissionsOwnersChanges =permissions_owners_changes(=dirs_system_obj) FilePermissionsOwnersChanges =permissions_owners_changes(=files_system_obj)
If we install these scripts with the define doexec set to FALSE, =execwait (see exec_process_macros.cfg) resolves to 'output mail'. Otherwise, with doexec set to TRUE, =execwait resolves to 'exec wait'. By this means, we can control whether these scripts actually undo changes or instead just report PIKT's intent to undo them. Until you are comfortable with your setup (the script, including any special rules you might add, together with its tweaked objects files), you might prefer to run this in doexec FALSE mode and report only. (It can be quite maddening for Pikt scripts to persist in undoing legitimate changes, especially if they break functionality, so be careful before having PIKT apply automatic fixes.)
For more examples, see Samples.