Sulog Scan
In this example, we do a sulog scan for signs of suspicious activity.
The SuLogScan script might send an alert message like the following:
PIKT ALERT
Fri Nov 9 02:41:50 2002
kiev
EMERGENCY:
SuLogScan
Scan the sulog for su-to-root by users other than sysadmins,
or authorized system owners
SU-TO-ROOT SUCCESS: SU 11/28 18:06 + pts/2 arthing-root
The script follows.
SuLogScan
init
status =piktstatus
level =piktlevel
task "Scan the sulog for su-to-root by users other than
sysadmins, or authorized system owners"
input logfile "=sulog"
dat $date 2
dat $time 3
dat $result 4
dat $port 5
dat $users 6
begin
// assume no crisis (yet)
set #crisis = #false()
rule // find $user and $newuser
set #i = #index($users, "-")
set $user = $substr($users,1,#i-1)
set $newuser = $substr($users,#i+1)
rule // su-to-root success
if $newuser eq "root"
# ifndef paranoid
&& $user !~ "^(root|=sysadmins|mahler)$"
# if db
&& $user !~ "^(=dbadmins)$"
# endif
&& $user !~ "^(=sysowner)$"
# endifdef
&& $result eq "+"
set $msg = "SU-TO-ROOT SUCCESS: $inlin"
output mail $msg
=output_alarm_log($msg)
set #crisis = #true()
endif
end
if #crisis
=page($msg, =pagesysadmins, ! =offhours(#now()))
endif
This is just one program example. You could add rules, or write new scripts, for example to report: su-to-root failures, su-to-other failures, etc. You could also add rules to page the systems administrators, and so on.
For more examples, see Samples.
