Sulog Scan

In this example, we do a sulog scan for signs of suspicious activity.

The SuLogScan script might send an alert message like the following:

                                PIKT ALERT
                         Fri Nov  9 02:41:50 2002
                                  kiev

EMERGENCY:
    SuLogScan
        Scan the sulog for su-to-root by users other than sysadmins,
          or authorized system owners

        SU-TO-ROOT SUCCESS: SU 11/28 18:06 + pts/2 arthing-root

The script follows.

SuLogScan

        init
                status =piktstatus
                level =piktlevel
                task "Scan the sulog for su-to-root by users other than
                      sysadmins, or authorized system owners"
                input logfile "=sulog"
                dat $date   2
                dat $time   3
                dat $result 4
                dat $port   5
                dat $users  6

        begin
                // assume no crisis (yet)
                set #crisis = #false()

        rule    // find $user and $newuser
                set #i = #index($users, "-")
                set $user = $substr($users,1,#i-1)
                set $newuser = $substr($users,#i+1)

        rule    // su-to-root success
                if    $newuser eq "root"
#  ifndef paranoid
                   && $user !~ "^(root|=sysadmins|mahler)$"
#    if db
                   && $user !~ "^(=dbadmins)$"
#    endif
                   && $user !~ "^(=sysowner)$"
#  endifdef
                   && $result eq "+"
                        set $msg = "SU-TO-ROOT SUCCESS: $inlin"
                        output mail $msg
			=output_alarm_log($msg)
                        set #crisis = #true()
                endif

        end
                if #crisis
                        =page($msg, =pagesysadmins, ! =offhours(#now()))
                endif

This is just one program example.  You could add rules, or write new scripts, for example to report:  su-to-root failures, su-to-other failures, etc.  You could also add rules to page the systems administrators, and so on.

For more examples, see Samples.

 
Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software
Developer's Notes | Licensing | Authors | Pikt-Users | Pikt-Workers | Related Projects | Site Index | Privacy Policy | Contact Us
Page best viewed at 1024x768 or greater.   Page last updated 2019-01-12.   This site is PIKT® powered.
Copyright © 1998-2019 Robert Osterlund. All rights reserved.
Home FAQ News Intro Samples Tutorial Reference Software
PIKT Logo
PIKT Page Title
View sample
shadow file
problems
Pikt script