Permissions & Owners Changes Macro

In this script macro example, we report and fix unauthorized and/or unexpected permissions and owners changes.  Such changes might result from innocent sysadmin maintenance, malicious hacker activity, or perhaps some glitch or automated process changing permissions and ownerships in unexpected ways.

The =permissions_owners_changes() macro might send an alert message like the following:

                                PIKT ALERT
                         Fri Sep 28 17:06:32 2007
                                barcelona

CRITICAL:
    DirectoryPermissionsOwnersChanges
        Report unauthorized and/or unexpected permissions & ownerships changes

        /usr/sbin mode 040777 is wrong, was 040755, changed to 755
        ...
        /usr/lib uid 200 is wrong, was 0, changed to 0
        /usr/lib gid 200 is wrong, was 0, changed to 0
        ...

The script macro follows.

permissions_owners_changes(OBJECTS)

        init
                status =piktstatus
                level =piktlevel
                task "Report unauthorized and/or unexpected permissions & ownerships changes"
                input file "(OBJECTS)"
                dat $obj 1
// not needed   dat $prm 2
                dat $mod 3
                dat #uid 4
                dat #gid 5
// not needed   dat $own 6
// not needed   dat $grp 7

        rule    // report nonexistence elsewhere
                if ! -e $obj
                        next
                endif

        rule    // stat the object
                set $objmode = $filemode($obj)
                set #objuid = #fileuid($obj)
                set #objgid = #filegid($obj)

        rule    // compare modes
                if $objmode !~ $mod
                        =execwait "=chmod $mod $obj"
                        output mail "$obj mode $objmode is wrong" .
                                    $if(#defined(%objmode), " (was %objmode),", ",") .
                                    " changed to $mod"
                endif

        rule    // compare uids
                if #objuid != #uid
                        =execwait "=chown $text(#uid) $obj"
                        output mail "$obj uid $text(#objuid) is wrong" .
                                    $if(#defined(%objuid), " (was $text(%objuid)),", ",") .
                                    " changed to $text(#uid)"
                endif

        rule    // compare gids
                if #objgid != #gid
                        =execwait "=chgrp $text(#gid) $obj"
                        output mail "$obj gid $text(#objgid) is wrong" .
                                    $if(#defined(%objgid), " (was $text(%objgid)),", ",") .
                                    " changed to $text(#gid)"
                endif

        end
                quit

=permissions_owners_changes() refers to the (OBJECTS) argument, which resolves to a PIKT object file with lines like the following:

/usr/sbin drwxr-xr-x 755 0 0 root root

You would invoke the =permissions_owners_changes() script macro in your alarms.cfg (or one of its #include files) like so:

DirectoryPermissionsOwnersChanges
 
        =permissions_owners_changes(=dirs_system_obj)
 
FilePermissionsOwnersChanges
 
        =permissions_owners_changes(=files_system_obj)

If we install these scripts with the define doexec set to FALSE, =execwait (see exec_process_macros.cfg) resolves to 'output mail'.  Otherwise, with doexec set to TRUE, =execwait resolves to 'exec wait'.  By this means, we can control whether these scripts actually undo changes or instead just report PIKT's intent to undo them.  Until you are comfortable with your setup (the script, including any special rules you might add, together with its tweaked objects files), you might prefer to run this in doexec FALSE mode and report only.  (It can be quite maddening for Pikt scripts to persist in undoing legitimate changes, especially if they break functionality, so be careful before having PIKT apply automatic fixes.)

For more examples, see Samples.