Wtmp Changes
In this example, we report suspicious wtmp changes.
The WtmpChange script might send an alert message like the following:
PIKT ALERT Fri Aug 22 08:56:31 2003 athens2 CRITICAL: WtmpChange Report suspicious wtmp changes wtmp changed access, was -rw-rw-r--, is now -rw-rw-rw-! wtmp has shrunk in size, was 238464 bytes, is now 1169 bytes!
The script follows.
WtmpChange init status =piktstatus level =piktlevel task "Report suspicious wtmp changes" input proc "=ll =wtmp" =lldata keys $name rule // file not found if ! -e $name output mail "=wtmp not found!" quit fi rule // changed access if #defined(%access) && $access ne %access output mail "=wtmp changed access, was %access, is now $access!" fi rule // changed owner if #defined(%owner) && $owner ne %owner output mail "=wtmp changed owner, was %owner, is now $owner!" fi rule // changed group if #defined(%group) && $group ne %group output mail "=wtmp changed group, was %group, is now $group!" fi rule // shrunk if #defined(%size) && #size < %size output mail "=wtmp has shrunk in size, was $text(%size) bytes, is now $text(#size) bytes!" fi
This is just one program example. You could add rules, or write new scripts, for example to report unexpected changes in: the wtmpx file, or other critical system files.
For more examples, see Samples.