Checksum Differences

In this example, we report checksum differences for certain critical system files.

The ChecksumDifference script might send an alert message like the following:

                                PIKT ALERT
                         Sat Oct  6 14:31:05 2002
                                 cologne

CRITICAL:
    ChecksumDifference
        Report checksum differences for certain critical system files.

        /usr/sbin/login checksums differ!
            auth:   63605c254a6a9928b8075963c951dbbf 29144 /usr/sbin/login
            actual: 938a4ca4a6dd7b8665faa4cde6a83f73 29356 /usr/sbin/login

ChecksumDifference makes reference to the =checksums_obj macro, which resolves to the name of the Checksums.obj file. The script follows.

ChecksumDifference

        init
                status =piktstatus
                level =piktlevel
                task "Report checksum differences for critical system files."
                input file "=checksums_obj"
                // dat $csauth 1        // not used
                // dat $szauth 2        // not used
                dat $name   3

        rule
                if ! -e $name
                        output mail "$name not found!"
                else
                        set $actual = $checksum(5, $name)      // MD5 checksum
                        if $inlin ne $actual
                                output mail "$name checksums differ!"
                                output mail "    auth:   $inlin"
                                output mail "    actual: $actual"
                        fi
                endif

This is just one program example. You could add rules, or write new scripts, for example to: review log files, report attempted break-ins, report and auto-fix improperly set file and directory ownerships and permissions, report suspicious user activity, monitor the timely application of security patches, find and report rootkits, report unexpected changes in the system configuration--the list goes on and on.

For more examples, see Samples.