Checksum Differences
In this example, we report checksum differences for certain critical system files.
The ChecksumDifference script might send an alert message like the following:
PIKT ALERT
Sat Oct 6 14:31:05 2002
cologne
CRITICAL:
ChecksumDifference
Report checksum differences for certain critical system files.
/usr/sbin/login checksums differ!
auth: 63605c254a6a9928b8075963c951dbbf 29144 /usr/sbin/login
actual: 938a4ca4a6dd7b8665faa4cde6a83f73 29356 /usr/sbin/login
ChecksumDifference makes reference to the =checksums_obj macro, which resolves to the name of the Checksums.obj file. The script follows.
ChecksumDifference
init
status =piktstatus
level =piktlevel
task "Report checksum differences for critical system files."
input file "=checksums_obj"
// dat $csauth 1 // not used
// dat $szauth 2 // not used
dat $name 3
rule
if ! -e $name
output mail "$name not found!"
else
set $actual = $checksum(5, $name) // MD5 checksum
if $inlin ne $actual
output mail "$name checksums differ!"
output mail " auth: $inlin"
output mail " actual: $actual"
fi
endif
This is just one program example. You could add rules, or write new scripts, for example to: review log files, report attempted break-ins, report and auto-fix improperly set file and directory ownerships and permissions, report suspicious user activity, monitor the timely application of security patches, find and report rootkits, report unexpected changes in the system configuration--the list goes on and on.
For more examples, see Samples.
