New Startup Scripts
In this example, we report new system startup scripts--signs of possible hacker activity.
The NewSystemStartupScript script might send an alert message like the following:
PIKT ALERT Thu Feb 19 06:35:45 2004 naples URGENT: NewSystemStartupScript Report new system startup scripts /etc/init.d/rsysd /etc/init.d/rc1.d/S18rsysd /etc/init.d/rc2.d/S18rsysd /etc/init.d/rc3.d/S18rsysd /etc/init.d/rc4.d/S18rsysd /etc/init.d/rc5.d/S18rsysd
The script follows.
NewSystemStartupScript init status =piktstatus level =piktlevel task "Report new system startup scripts" input proc "=find /etc/init.d -print" dat $name 1 keys $name rule set $state = "+" if $state ne %state output mail $inlin endif end set $state = "-"
This is just one program example. You could add rules, or write new scripts, for example to report: disappearing system startup files, startup script file size, ownership, and permissions changes, etc. In the case of modified startup scripts, it would be entirely possible also to report diffs between the old and the new directly in the alert message.
For more examples, see Samples.