System File Permissions & Owners Changes

In this example, we report and undo unauthorized and/or unexpected system file permissions and owners changes.  Such changes might be due to innocent sysadmin activity, malicious hacker actions, or perhaps some automated process or some other glitch changing ownerships and permissions in ways unexpected.

The FilesSystemPermissionsOwnersChanges script might send an alert message like the following:

                                PIKT ALERT
                         Wed Sep 20 19:02:29 2006
                                  rouen

CRITICAL:
    FilesSystemPermissionsOwnersChanges
        Report unauthorized and/or unexpected permissions & ownerships changes
        of system files

        /etc/passwd mode 100666 is wrong, changed to 644
        /etc/group mode 100666 is wrong, changed to 644
        ...
        /etc/shadow uid 500 is wrong, changed to 0
        /etc/shadow gid 500 is wrong, changed to 0
        ...

The script follows.

FilesSystemPermissionsOwnersChanges

        init
                status =piktstatus
                level =piktlevel
                task "Report unauthorized and/or unexpected permissions & ownerships
                      changes of system files"
                input file "=files_system_obj"
                dat $fil 1
// not needed   dat $prm 2
                dat $mod 3
                dat #uid 4
                dat #gid 5
// not needed   dat $own 6
// not needed   dat $grp 7
#ifdef verbose
                keys $fil
#endifdef

        rule    // report nonexistence elsewhere
                if ! -e $fil
                        next
                endif

        rule    // stat the file
                set $filmode = $filemode($fil)
                set #filuid = #fileuid($fil)
                set #filgid = #filegid($fil)

        rule    // compare modes
                if $filmode !~ $mod
                        =execwait "=chmod $mod $fil"
#ifdef quiet
                        output syslog "$fil mode $filmode is wrong,
                                       changed to $mod"
#elsifdef verbose
                        output mail "$fil mode $filmode is wrong" .
                                    $if(#defined(%filmode), " (was %filmode),", ",") .
                                    " changed to $mod"
#elsedef
                        output mail "$fil mode $filmode is wrong,
                                     changed to $mod"
#endifdef
                endif

        rule    // compare uids
                if #filuid != #uid
                        =execwait "=chown $text(#uid) $fil"
#ifdef quiet
                        output syslog "$fil uid $text(#filuid) is wrong,
                                       changed to $text(#uid)"
#elsifdef verbose
                        output mail "$fil uid $text(#filuid) is wrong" .
                                    $if(#defined(%filuid), " (was $text(%filuid)),", ",") .
                                    " changed to $text(#uid)"
#elsedef
                        output mail "$fil uid $text(#filuid) is wrong,
                                     changed to $text(#uid)"
#endifdef
                endif

        rule    // compare gids
                if #filgid != #gid
                        =execwait "=chgrp $text(#gid) $fil"
#ifdef quiet
                        output syslog "$fil gid $text(#filgid) is wrong,
                                       changed to $text(#gid)"
#elsifdef verbose
                        output mail "$fil gid $text(#filgid) is wrong" .
                                    $if(#defined(%filgid), " (was $text(%filgid)),", ",") .
                                    " changed to $text(#gid)"
#elsedef
                        output mail "$fil gid $text(#filgid) is wrong,
                                     changed to $text(#gid)"
#endifdef
                endif

#ifdef debug
        rule
                if #innum() == 20
                        quit
                endif
#endifdef

FilesSystemPermissionsOwnersChanges refers to the =files_system_obj macro, which resolves to the file FilesSystem.obj.  A typical line from that file would be

/etc/passwd -rw-r--r-- 644 0 0 root root

Note how, if we install this script in quiet mode, we silently log the chowns and chmods to syslog.  Otherwise, in verbose (or default) mode, we send alert e-mail.

If we install this script with the define doexec set to FALSE, =execwait (see exec_process_macros.cfg) resolves to 'output mail'.  Otherwise, with doexec set to TRUE, =execwait resolves to 'exec wait'.  By means of this PIKT define, we can control whether the FilesSystemPermissionsOwnersChanges script actually undoes changes or instead just reports PIKT's intent to undo them.  Until you are comfortable with your setup (the script, including any special rules you might add, together with its tweaked objects files), you might prefer to run this in doexec FALSE mode and report only.  (It can be quite maddening for Pikt scripts to persist in undoing legitimate changes, so be careful before having PIKT apply auto-fixes.)

Here is a generalized script macro version of this script, and one written in a more "modern" PIKT style (versions 1.19.0 and later).

This is just one program example.  You might also write scripts to monitor system directory permissions and ownerships (for example, dirs_system_permissions_owners_changes_alarms.cfg) or other file or directory stats.

For more examples, see Samples.

 
Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software
Developer's Notes | Licensing | Authors | Pikt-Users | Pikt-Workers | Related Projects | Site Index | Privacy Policy | Contact Us
Page best viewed at 1024x768 or greater.   Page last updated 2019-01-12.   This site is PIKT® powered.
Copyright © 1998-2019 Robert Osterlund. All rights reserved.
Home FAQ News Intro Samples Tutorial Reference Software
PIKT Logo
PIKT Page Title
View sample
system file owners
& permissions changes
Pikt script