A simple intrusion detection script Post: 302294996

Sponsored Content

Top Forums Shell Programming and Scripting A simple intrusion detection script Post 302294996 by otheus on Friday 6th of March 2009 09:45:05 AM

03-06-2009

Registered User

A simple intrusion detection script

If you have a very static Linux server and you want to make sure it's not messed with, here's a simple script that will tell you if any files have been tampered with. It's not as fancy or as secure as tripwire or those others, but it is very simple. It can be easily adapted to any *NIX OS.

Code:

#!/bin/sh
## How often to run (in seconds)
PERIOD=3600

## Any files or directories that always change, add here:
EXCLUDE="/proc/ /sys/ /dev/ /var/log /var/run/ /var/lock/ /var/cache/ /var/tmp/ /tmp/ /var/lib/ldap/"
EXCLUDE="$EXCLUDE /var/spool/ /etc/prelink.cache /etc/ld.so.cache /var/lib/logrotate.status /var/lib/slocate/"
EXCLUDE="$EXCLUDE /.*\.viminfo /var/lib/md5sigs"

SIGS=/var/lib/md5sigs
TEMP=/tmp/sigs-$$

umask 077
#
while true; do 

# calculate md5sum of all files not in EXCLUDE
exclude_re=`echo "^("$EXCLUDE")" | sed 's/  */|/g'`
find / -type f -print 2>/dev/null |
        grep -Ev "$exclude_re" |
        LC_ALL=C sort |
        xargs md5sum 2>/dev/null  >$TEMP

# Compare against existing database (or use this one for new database)
if test -f /root/.md5sigs ;then
        diff -w -h $SIGS $TEMP  >$TEMP.diff
        if [ -s $TEMP.diff ]; then
           mail -s "File scan Report" root <$TEMP.diff
           exit 1
        fi
        rm -f $TEMP $TEMP.diff
else
        mv $TEMP $SIGS
        echo "No prior existing report."
fi

sleep $PERIOD
done

# Copyright 2009 by Otheus, licensed under GNU v2 Public License

Last edited by otheus; 04-15-2009 at 06:11 AM.. Reason: added umask setting per follow-up posts

otheus

View Public Profile for otheus

Find all posts by otheus

6 More Discussions You Might Find Interesting

1. Cybersecurity

Intrusion Detection - System Call Introspection

can u give me a code for host based intrusion detection using system call introspection...

2. Shell Programming and Scripting

key detection in a script

Heloo every one I want to write a script that detects a key press and mouse click and movement,but I dont know how. The second one is I want to run myscript without writing the shell ie not "sh script.sh" but "script.sh" Can you help me out of here? Thanks in advance.

3. Shell Programming and Scripting

File detection then run script

I am currently running 4 scripts to complete a job for me. Each script requires the finished file of the one before it. For example the first script gets the finished file called model.x, then i would like script2 to start in and use model.x as the input and get model_min.x as the finished...

4. Shell Programming and Scripting

need bash script Intrusion Detection on Linux

Hello all I have a script but I failed on the creation of Script is any is carried out in the shell sends the owner of the server, the message is has been implemented For example, functioned as a detection system intruders but in smaller Is it possible to help if you allow I want the...

5. Programming

Parallel Processing Detection and Program Return Value Detection

Hey, for the purpose of a research project I need to know if a specific type of parallel processing is being utilized by any user-run programs. Is there a way to detect whether a program either returns a value to another program at the end of execution, or just utilizes any form of parallel...

6. Shell Programming and Scripting

Help making simple perl or bash script to create a simple matrix

Hello all! This is my first post and I'm very new to programming. I would like help creating a simple perl or bash script that I will be using in my work as a junior bioinformatician. Essentially, I would like to take a tab-delimted or .csv text with 3 columns and write them to a "3D" matrix: ...

LEARN ABOUT HPUX

secure_sid_scripts

secure_sid_scripts(5)						File Formats Manual					     secure_sid_scripts(5)

NAME

       secure_sid_scripts - controls whether setuid and setgid bits on scripts are honored

VALUES

   Failsafe
   Default
   Allowed values
   Recommended values
DESCRIPTION

       This  tunable  controls	whether and bits on executable scripts have any effect.  Honoring on scripts make a system vulnerable to attack by
       malicious users.

       The default value for this variable is 1, indicating that bits are to be ignored by the execve(2) system call  for  higher  security.   The
       tunable	can  be set to 0 for a compatibility with older releases at the expense of security.  Hewlett-Packard strongly recommends that you
       not change the value of this tunable unless there is an urgent need to do so.

       When a script with bits is executed, the kernel generates the following error message to both the terminal controlling and the system  log.
       (To view the error message, use dmesg(1M) or inspect

   Who is Expected to Change This Tunable?
       Administrator.

   Restrictions on Changing
       Changes to this tunable take effect for new scripts started after the change.

   When Should the Value of This Tunable Be Changed?
       This  tunable  controls	operational  modes  rather  than data structure sizes and limits.  The appropriate setting for a system depends on
       whether you consider security or compatibility to be most important.

       A value of is compatible with previous releases of HP-UX, but it is also less secure.

       A value of provides security against race condition attacks exploiting scripts.

   What Are the Side Effects of Changing the Value
       This tunable controls only executable scripts (not programs) with bit set.  HP-UX does not ship with any such  scripts.	 If  the  customer
       wishes  to use scripts, third party applications such as or can be used.  Alternatively, the shell script can be wrapped in a simple C pro-
       gram that runs the shell script with appropriate permissions:

   What Other Tunable Values Should Be Changed at the Same Time?
       None.

WARNINGS

       None.  All HP-UX kernel tunable parameters are release specific.  This parameter may be removed or  have  its  meaning  changed	in  future
       releases of HP-UX.

       Installation  of  optional  kernel  software, from HP or other vendors, may cause changes to tunable parameter values.  After installation,
       some tunable parameters may no longer be at the default or recommended values.  For information about the effects of installation  on  tun-
       able  values,  consult  the documentation for the kernel software being installed.  For information about optional kernel software that was
       factory installed on your system, see at

FILES

AUTHOR

       was developed by HP.

SEE ALSO

       chmod(1), execve(2), kctune(1M).

							     Tunable Kernel Parameters					     secure_sid_scripts(5)