Wtmp Changes

In this example, we report suspicious wtmp changes.

The WtmpChange script might send an alert message like the following:

                                PIKT ALERT
                         Fri Aug 22 08:56:31 2003
                                 athens2

CRITICAL:
    WtmpChange
        Report suspicious wtmp changes

        wtmp changed access, was -rw-rw-r--, is now -rw-rw-rw-!
        wtmp has shrunk in size, was 238464 bytes, is now 1169 bytes!

The script follows.

WtmpChange

        init
                status =piktstatus
                level =piktlevel
                task "Report suspicious wtmp changes"
                input proc "=ll =wtmp"
                =lldata
                keys $name

        rule    // file not found
                if ! -e $name
                        output mail "=wtmp not found!"
                        quit
                fi

        rule    // changed access
                if    #defined(%access)
                   && $access ne %access
                        output mail "=wtmp changed access, was %access,
                                     is now $access!"
                fi

        rule    // changed owner
                if    #defined(%owner)
                   && $owner ne %owner
                        output mail "=wtmp changed owner, was %owner,
                                     is now $owner!"
                fi

        rule    // changed group
                if    #defined(%group)
                   && $group ne %group
                        output mail "=wtmp changed group, was %group,
                                     is now $group!"
                fi

        rule    // shrunk
                if    #defined(%size)
                   && #size < %size
                        output mail "=wtmp has shrunk in size,
                                     was $text(%size) bytes,
                                     is now $text(#size) bytes!"
                fi

This is just one program example.  You could add rules, or write new scripts, for example to report unexpected changes in:  the wtmpx file, or other critical system files.

For more examples, see Samples.

 
Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software
Developer's Notes | Licensing | Authors | Pikt-Users | Pikt-Workers | Related Projects | Site Index | Privacy Policy | Contact Us
Page best viewed at 1024x768 or greater.   Page last updated 2019-01-12.   This site is PIKT® powered.
Copyright © 1998-2019 Robert Osterlund. All rights reserved.
Home FAQ News Intro Samples Tutorial Reference Software
PIKT Logo
PIKT Page Title
View sample
system file
updates
Pikt script