Mtime Changes
In this example, we report changes in system file and directory mtimes.
The FileMtimeChange script might send an alert message like the following:
PIKT ALERT
Mon Dec 29 02:09:52 2003
sheffield
WARNING:
FileMtimeChange
Report mtime-changed files and subdirectories in system directories
-rwxr-xr-x 1 root root 52269 Dec 28 2003 /usr/sbin/iptables
-rwxr-xr-x 1 root root 56277 Dec 28 2003 /usr/sbin/iptables-restore
-rwxr-xr-x 1 root root 55793 Dec 28 2003 /usr/sbin/iptables-save
...
The script follows.
FileMtimeChange
init
status =piktstatus
level =piktlevel
task "Report mtime-changed files and subdirectories
in system directories"
input file "=objdir/DirsSystem.obj"
begin // first check integrity of the find command
set $findchksum = $checksum(5, "=find")
if #defined(%findchksum)
&& $findchksum ne %findchksum
output mail "=find has changed checksum to $findchksum,
was %findchksum"
// quit
endif
if =monday
set $mtime = "-3" // find files modified over
// the weekend (last 3 days)
else
set $mtime = "-2" // find files modified within
// the last two days
endif
rule
if -d $inlin
#ifndef paranoid
=outputproc(mail, "=find $inlin -mtime $mtime
-exec =lld {}
\\\\; | =egrep -iv 'log|\\\\.lock|\\\\.hst|
\\\\.tmp|pipe|fifo|\\\\.pid|/dev/|/var/spool|
/var/adm|/var/log|/var/run|/var/locks|/tmp|
/xfn|mgr/.in/|mgr/.out|mnttab|rmtab|dumpdates|
ntp\\\\.drift|binding|heartbeat|mailman|dfget|
/var/pikt|/proc/|/Cache/|diffing|staging|
.galeon|.gconf|.mozilla|\\\\.bak'")
#elsedef
=outputproc(mail, "=find $inlin -mtime $mtime
-exec =lld {} \\\\;")
#endifdef // paranoid
endif
This is just one program example. You could add rules, or write new scripts, for example to: report mtime changes in other critical files and directories, page systems administrators if especially critical files are reported to be changed, etc.
For more examples, see Samples.
