Welcome to the Linux Foundation Forum!

Poor man's intrusion notification system - Request for Comments

Options
Posts: 1
in System Management

cron: -----------------------------

0 3 * * * /usr/bin/rkhunter --update

0 */2 * * * /usr/local/sbin/collector.pl

20 * * * * /usr/local/sbin/ids.sh

30 3 * * * /usr/local/sbin/backup.sh

[collector.pl] -----------------------------

#!/usr/bin/perl -w

use strict;

my %Cmds;

my $host = qw(XXXXX);

my $user = "root";

my $externalip = "X.X.X.X";

chdir "/data";

my @md5files = qw(/bin/login

/usr/bin/passwd

/bin/ps);

my ($Second, $Minute, $Hour, $Day, $Month, $Year, $WeekDay, $DayOfYear, $IsDST) = localtime(time);

if ($Hour == 8) {

$Cmds{'disk.usage'} = "df -lk";

$Cmds{'packages'} = "yum check-update"; }

$Cmds{'md5sigs'} = "md5sum @md5files";

$Cmds{'suidfiles'} = "find / ! -wholename '/proc*' -type f -perm +6000 |xargs ls -l";

$Cmds{'cron.root'} = "crontab -l -u root";

$Cmds{'nmap'} = "nmap -sS $externalip | egrep -v '^(Nmap|Starting)'";

#$Cmds{'chkroot'} = "/usr/bin/chkrootkit"; $Cmds{'/dev/null'} = "updatedb";

#$Cmds{'/dev/null'} = "/usr/bin/rkhunter --update";

$Cmds{'rootkithunt'} = "/usr/bin/rkhunter -c --no-mail-on-warning --rwo --noappend-log --sk --nocolors";

#$Cmds{'iptables'} = "/sbin/iptables --list";

$Cmds{'listening'} = "netstat -utan | grep -i listen";

#$Cmds{'rootkithunt'} = "cat /var/log/rkhunter/rkhunter.log";

### main loop ###

for my $file (keys %Cmds) {

my $cmd = $Cmds{$file};

### run each command on $host and print the

### output to $file

&run_command($cmd, $file, $host);

}

exit 0;

sub run_command() {

my ($cmd, $file, $host) = @_;

my ($stdout, $stderr, $exit) = system($cmd." > $file");

return;

}

[ids.sh] -----------------------------

#!/bin/bash

## look for discrepanices

/usr/bin/perl /usr/local/sbin/mail-output.pl --subject "XXXXX.domain.net ETC Change" --recip admin@domain.net "diff -b -B -p -r -I \"Updated\" -X /home/backup/backup-excludes -u /home/backup/etc /etc"

/usr/bin/perl /usr/local/sbin/mail-output.pl --subject "XXXXX.domain.net Config Change" --recip admin@domain.net "diff -a -b -B -p -r -u -I \"The system checks took\" -I \"Host is up\" /home/backup/files /data/"

## copy files

echo "Starting IDS data sync at `date`." > /home/backup/backup-ids.log

echo "" >> /home/backup/backup-ids.log

echo "Backing up /etc/..." >> /home/backup/backup-ids.log rsync -a --delete /etc/ /home/backup/etc/ >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err

echo "" >> /home/backup/backup-ids.log

echo "Backing up config files..." >> /home/backup/backup-ids.log rsync -a --delete /data/* /home/backup/files >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err echo "" >> /home/backup/backup-ids.log

echo "Backing up system files..." >> /home/backup/backup-ids.log rsync -a --delete /usr/local/sbin/* /home/backup/usr/local/sbin/ >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err echo "" >> /home/backup/backup-ids.log

echo "Backup finished at `date`." >> /home/backup/backup-ids.log

[backup.sh] ----------------------------- #!/bin/bash

## zip & send

tar -czvf /home/XXXXX.tar.gz /home/backup/*

ls -alR /home/backup > /home/dirlist.txt

mail -s "XXXXX Backup Configs" -r backups@domain.net -a /home/XXXXX.tar.gz admin@domain.net < /home/dirlist.txt

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Quick Links

Categories

Upcoming Training