Ctime Changes
In this example, we report changes in system file and directory ctimes.
The FileCtimeChange script might send an alert message like the following:
PIKT ALERT
Sat Mar 13 03:17:24 2004
cadiz
WARNING:
FileCtimeChange
Report ctime-changed files and subdirectories in system
directories that should be unchanging
/lib/security/pam_lastlog.so: ELF 32-bit LSB shared object, Intel 80386,
version 1 (SYSV), not stripped
-rwxr-xr-x 1 root root 11757 Mar 13 01:19 /lib/security/pam_lastlog.so
The script follows.
FileCtimeChange // this alarm does not consider /dev and other
// special directories; deal with those cans of worms
// in a separate alarm
init
status =piktstatus
level =piktlevel
task "Report ctime-changed files and subdirectories in system
directories that should be unchanging"
input proc "=find /bin /boot /etc /lib /opt /sbin /usr -ctime -1"
rule // skip, don't bother to report/log
if ( $inlin =~ "/tmp$"
|| $inlin =~ "/tmp/"
)
// && -d $inlin
next
endif
#ifndef paranoid
rule // skip, don't bother to report/log
if // $inlin =~ "log$" &&
$command("=file $inlin") =~~ "fifo|text|data|empty file|
directory"
next
endif
#endifdef
rule
set $filetype = $command("=file $inlin")
set $listing = $command("=lld -c $inlin")
output mail $filetype
output mail $listing
output mail =newline
#ifdef worried
=output_alarm_log($filetype)
=output_alarm_log($listing)
#endifdef
This is just one program example. You could add rules, or write new scripts, for example to report: ctime changes in system device files, and other critical files and directories.
For more examples, see Samples.
