A simple intrusion detection script Post: 302294996

Sponsored Content

Top Forums Shell Programming and Scripting A simple intrusion detection script Post 302294996 by otheus on Friday 6th of March 2009 09:45:05 AM

03-06-2009

Registered User

A simple intrusion detection script

If you have a very static Linux server and you want to make sure it's not messed with, here's a simple script that will tell you if any files have been tampered with. It's not as fancy or as secure as tripwire or those others, but it is very simple. It can be easily adapted to any *NIX OS.

Code:

#!/bin/sh
## How often to run (in seconds)
PERIOD=3600

## Any files or directories that always change, add here:
EXCLUDE="/proc/ /sys/ /dev/ /var/log /var/run/ /var/lock/ /var/cache/ /var/tmp/ /tmp/ /var/lib/ldap/"
EXCLUDE="$EXCLUDE /var/spool/ /etc/prelink.cache /etc/ld.so.cache /var/lib/logrotate.status /var/lib/slocate/"
EXCLUDE="$EXCLUDE /.*\.viminfo /var/lib/md5sigs"

SIGS=/var/lib/md5sigs
TEMP=/tmp/sigs-$$

umask 077
#
while true; do 

# calculate md5sum of all files not in EXCLUDE
exclude_re=`echo "^("$EXCLUDE")" | sed 's/  */|/g'`
find / -type f -print 2>/dev/null |
        grep -Ev "$exclude_re" |
        LC_ALL=C sort |
        xargs md5sum 2>/dev/null  >$TEMP

# Compare against existing database (or use this one for new database)
if test -f /root/.md5sigs ;then
        diff -w -h $SIGS $TEMP  >$TEMP.diff
        if [ -s $TEMP.diff ]; then
           mail -s "File scan Report" root <$TEMP.diff
           exit 1
        fi
        rm -f $TEMP $TEMP.diff
else
        mv $TEMP $SIGS
        echo "No prior existing report."
fi

sleep $PERIOD
done

# Copyright 2009 by Otheus, licensed under GNU v2 Public License

Last edited by otheus; 04-15-2009 at 06:11 AM.. Reason: added umask setting per follow-up posts

otheus

View Public Profile for otheus

Find all posts by otheus

6 More Discussions You Might Find Interesting

1. Cybersecurity

Intrusion Detection - System Call Introspection

can u give me a code for host based intrusion detection using system call introspection...

2. Shell Programming and Scripting

key detection in a script

Heloo every one I want to write a script that detects a key press and mouse click and movement,but I dont know how. The second one is I want to run myscript without writing the shell ie not "sh script.sh" but "script.sh" Can you help me out of here? Thanks in advance.

3. Shell Programming and Scripting

File detection then run script

I am currently running 4 scripts to complete a job for me. Each script requires the finished file of the one before it. For example the first script gets the finished file called model.x, then i would like script2 to start in and use model.x as the input and get model_min.x as the finished...

4. Shell Programming and Scripting

need bash script Intrusion Detection on Linux

Hello all I have a script but I failed on the creation of Script is any is carried out in the shell sends the owner of the server, the message is has been implemented For example, functioned as a detection system intruders but in smaller Is it possible to help if you allow I want the...

5. Programming

Parallel Processing Detection and Program Return Value Detection

Hey, for the purpose of a research project I need to know if a specific type of parallel processing is being utilized by any user-run programs. Is there a way to detect whether a program either returns a value to another program at the end of execution, or just utilizes any form of parallel...

6. Shell Programming and Scripting

Help making simple perl or bash script to create a simple matrix

Hello all! This is my first post and I'm very new to programming. I would like help creating a simple perl or bash script that I will be using in my work as a junior bioinformatician. Essentially, I would like to take a tab-delimted or .csv text with 3 columns and write them to a "3D" matrix: ...

LEARN ABOUT CENTOS

sieveshell

SIEVESHELL(1)						User Contributed Perl Documentation					     SIEVESHELL(1)

NAME

       sieveshell - remotely manipulate sieve scripts

SYNOPSIS

       sieveshell [--user=user] [--authname=authname] [--realm=realm] [--exec=script] server[:port]

       sieveshell --help

DESCRIPTION

       sieveshell allows users to manipulate their scripts on a remote server.	It works via MANAGESIEVE, a work in progress.

       The following commands are recognized:

	   list list scripts on server.

	   put <filename> upload script to server.

	   get <name> [<filename>] get script. if no filename display to stdout

	   delete <name> delete script.

	   activate <name> activate script.

	   deactivate deactivate all scripts.

OPTIONS

       -u user, --user=user
	   The authorization name to request; by default, derived from the authentication credentials.

       -a authname, --authname=authname
	   The user to use for authentication (defaults to current user).

       -r realm, --realm=realm
	   The realm to attempt authentication in.

       -e script, --exec=script
	   Instead of working interactively, run commands from script, and exit when done.

REFERENCES

       [MANAGESIEVE] Martin, T.; "A Protocol for Remotely Managing Sieve Scripts", draft-ietf-managesieve-03.txt, Mirapoint, Inc.; May 2001, work
       in progress.

AUTHOR

       Tim Martin <tmartin@mirapoint.com>, and the rest of the Cyrus team <cyrus-bugs@andrew.cmu.edu>.

perl v5.16.3							    2014-06-10							     SIEVESHELL(1)