New Startup Scripts

In this example, we report new system startup scripts--signs of possible hacker activity.

The NewSystemStartupScript script might send an alert message like the following: 

                                PIKT ALERT
                         Thu Feb 19 06:35:45 2004
                                  naples

URGENT:
    NewSystemStartupScript
        Report new system startup scripts

        /etc/init.d/rsysd
        /etc/init.d/rc1.d/S18rsysd
        /etc/init.d/rc2.d/S18rsysd
        /etc/init.d/rc3.d/S18rsysd
        /etc/init.d/rc4.d/S18rsysd
        /etc/init.d/rc5.d/S18rsysd

The script follows. 

NewSystemStartupScript

        init
                status =piktstatus
                level =piktlevel
                task "Report new system startup scripts"
                input proc "=find /etc/init.d -print"
                dat $name 1
                keys $name

        rule
                set $state = "+"
                if $state ne %state
                        output mail $inlin
                endif

        end
                set $state = "-"

This is just one program example.  You could add rules, or write new scripts, for example to report:  disappearing system startup files, startup script file size, ownership, and permissions changes, etc.  In the case of modified startup scripts, it would be entirely possible also to report diffs between the old and the new directly in the alert message.

For more examples, see Samples.

 
Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software
Developer's Notes | Licensing | Authors | Pikt-Users | Pikt-Workers | Related Projects | Site Index | Privacy Policy | Contact Us
Page best viewed at 1024x768 or greater.   Page last updated 2018-01-02.   This site is PIKT® powered.
Copyright © 1998-2018 Robert Osterlund. All rights reserved.
Home FAQ News Intro Samples Tutorial Reference Software
PIKT Logo
PIKT Page Title
View sample
keys.conf
config file