Wtmp Changes
In this example, we report suspicious wtmp changes.
The WtmpChange script might send an alert message like the following:
PIKT ALERT
Fri Aug 22 08:56:31 2003
athens2
CRITICAL:
WtmpChange
Report suspicious wtmp changes
wtmp changed access, was -rw-rw-r--, is now -rw-rw-rw-!
wtmp has shrunk in size, was 238464 bytes, is now 1169 bytes!
The script follows.
WtmpChange
init
status =piktstatus
level =piktlevel
task "Report suspicious wtmp changes"
input proc "=ll =wtmp"
=lldata
keys $name
rule // file not found
if ! -e $name
output mail "=wtmp not found!"
quit
fi
rule // changed access
if #defined(%access)
&& $access ne %access
output mail "=wtmp changed access, was %access,
is now $access!"
fi
rule // changed owner
if #defined(%owner)
&& $owner ne %owner
output mail "=wtmp changed owner, was %owner,
is now $owner!"
fi
rule // changed group
if #defined(%group)
&& $group ne %group
output mail "=wtmp changed group, was %group,
is now $group!"
fi
rule // shrunk
if #defined(%size)
&& #size < %size
output mail "=wtmp has shrunk in size,
was $text(%size) bytes,
is now $text(#size) bytes!"
fi
This is just one program example. You could add rules, or write new scripts, for example to report unexpected changes in: the wtmpx file, or other critical system files.
For more examples, see Samples.
