Linux.com

smithware

smithware

  • Linux.com Member
  • Posts: 1
  • Member Since: 02 Aug 13
  • Last Logged In: 03 Aug 13

Latest Posts

Posted by
Topic
Post Preview
Posted
  • smithware
    Poor man's intrusion notification system - Request for Comments
    cron: ----------------------------- 0 3 * * * /usr/bin/rkhunter --update 0 */2 * * * /usr/local/sbin/collector.pl 20 * * * * /usr/local/sbin/ids.sh 30 3 * * * /usr/local/sbin/backup.sh [collector.pl] ----------------------------- #!/usr/bin/perl -w use strict; my %Cmds; my $host = qw(XXXXX); my $user = "root"; my $externalip = "X.X.X.X"; chdir "/data"; my @md5files = qw(/bin/login /usr/bin/passwd /bin/ps); my ($Second, $Minute, $Hour, $Day, $Month, $Year, $WeekDay, $DayOfYear, $IsDST) = localtime(time); if ($Hour == 8) { $Cmds{'disk.usage'} = "df -lk"; $Cmds{'packages'} = "yum check-update"; } $Cmds{'md5sigs'} = "md5sum @md5files"; $Cmds{'suidfiles'} = "find / ! -wholename '/proc*' -type f -perm +6000 |xargs ls -l"; $Cmds{'cron.root'} = "crontab -l -u root"; $Cmds{'nmap'} = "nmap -sS $externalip | egrep -v '^(Nmap|Starting)'"; #$Cmds{'chkroot'} = "/usr/bin/chkrootkit"; $Cmds{'/dev/null'} = "updatedb"; #$Cmds{'/dev/null'} = "/usr/bin/rkhunter --update"; $Cmds{'rootkithunt'} = "/usr/bin/rkhunter -c --no-mail-on-warning --rwo --noappend-log --sk --nocolors"; #$Cmds{'iptables'} = "/sbin/iptables --list"; $Cmds{'listening'} = "netstat -utan | grep -i listen"; #$Cmds{'rootkithunt'} = "cat /var/log/rkhunter/rkhunter.log"; ### main loop ### for my $file (keys %Cmds) { my $cmd = $Cmds{$file}; ### run each command on $host and print the ### output to $file &run_command($cmd, $file, $host); } exit 0; sub run_command() { my ($cmd, $file, $host) = @_; my ($stdout, $stderr, $exit) = system($cmd." > $file"); return; } [ids.sh] ----------------------------- #!/bin/bash ## look for discrepanices /usr/bin/perl /usr/local/sbin/mail-output.pl --subject "XXXXX.domain.net ETC Change" --recip admin@domain.net "diff -b -B -p -r -I \"Updated\" -X /home/backup/backup-excludes -u /home/backup/etc /etc" /usr/bin/perl /usr/local/sbin/mail-output.pl --subject "XXXXX.domain.net Config Change" --recip admin@domain.net "diff -a -b -B -p -r -u -I \"The system checks took\" -I \"Host is up\" /home/backup/files /data/" ## copy files echo "Starting IDS data sync at `date`." > /home/backup/backup-ids.log echo "" >> /home/backup/backup-ids.log echo "Backing up /etc/..." >> /home/backup/backup-ids.log rsync -a --delete /etc/ /home/backup/etc/ >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err echo "" >> /home/backup/backup-ids.log echo "Backing up config files..." >> /home/backup/backup-ids.log rsync -a --delete /data/* /home/backup/files >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err echo "" >> /home/backup/backup-ids.log echo "Backing up system files..." >> /home/backup/backup-ids.log rsync -a --delete /usr/local/sbin/* /home/backup/usr/local/sbin/ >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err echo "" >> /home/backup/backup-ids.log echo "Backup finished at `date`." >> /home/backup/backup-ids.log [backup.sh] ----------------------------- #!/bin/bash ## zip & send tar -czvf /home/XXXXX.tar.gz /home/backup/* ls -alR /home/backup > /home/dirlist.txt mail -s "XXXXX Backup Configs" -r backups@domain.net -a /home/XXXXX.tar.gz admin@domain.net < /home/dirlist.txt
    Link to this post 02 Aug 13

    cron: -----------------------------
    0 3 * * * /usr/bin/rkhunter --update
    0 */2 * * * /usr/local/sbin/collector.pl
    20 * * * * /usr/local/sbin/ids.sh
    30 3 * * * /usr/local/sbin/backup.sh


    [collector.pl] -----------------------------

    #!/usr/bin/perl -w

    use strict;

    my %Cmds;
    my $host = qw(XXXXX);
    my $user = "root";
    my $externalip = "X.X.X.X";

    chdir "/data";

    my @md5files = qw(/bin/login
    /usr/bin/passwd
    /bin/ps);

    my ($Second, $Minute, $Hour, $Day, $Month, $Year, $WeekDay, $DayOfYear, $IsDST) = localtime(time);

    if ($Hour == 8) {
    $Cmds{'disk.usage'} = "df -lk";
    $Cmds{'packages'} = "yum check-update"; }

    $Cmds{'md5sigs'} = "md5sum @md5files";
    $Cmds{'suidfiles'} = "find / ! -wholename '/proc*' -type f -perm +6000 |xargs ls -l";
    $Cmds{'cron.root'} = "crontab -l -u root";
    $Cmds{'nmap'} = "nmap -sS $externalip | egrep -v '^(Nmap|Starting)'";
    #$Cmds{'chkroot'} = "/usr/bin/chkrootkit"; $Cmds{'/dev/null'} = "updatedb";
    #$Cmds{'/dev/null'} = "/usr/bin/rkhunter --update";
    $Cmds{'rootkithunt'} = "/usr/bin/rkhunter -c --no-mail-on-warning --rwo --noappend-log --sk --nocolors";
    #$Cmds{'iptables'} = "/sbin/iptables --list";
    $Cmds{'listening'} = "netstat -utan | grep -i listen";
    #$Cmds{'rootkithunt'} = "cat /var/log/rkhunter/rkhunter.log";

    ### main loop ###
    for my $file (keys %Cmds) {
    my $cmd = $Cmds{$file};

    ### run each command on $host and print the
    ### output to $file
    &run_command($cmd, $file, $host);
    }
    exit 0;

    sub run_command() {
    my ($cmd, $file, $host) = @_;

    my ($stdout, $stderr, $exit) = system($cmd." > $file");
    return;
    }


    [ids.sh] -----------------------------
    #!/bin/bash

    ## look for discrepanices

    /usr/bin/perl /usr/local/sbin/mail-output.pl --subject "XXXXX.domain.net ETC Change" --recip admin@domain.net "diff -b -B -p -r -I \"Updated\" -X /home/backup/backup-excludes -u /home/backup/etc /etc"

    /usr/bin/perl /usr/local/sbin/mail-output.pl --subject "XXXXX.domain.net Config Change" --recip admin@domain.net "diff -a -b -B -p -r -u -I \"The system checks took\" -I \"Host is up\" /home/backup/files /data/"

    ## copy files

    echo "Starting IDS data sync at `date`." > /home/backup/backup-ids.log

    echo "" >> /home/backup/backup-ids.log

    echo "Backing up /etc/..." >> /home/backup/backup-ids.log rsync -a --delete /etc/ /home/backup/etc/ >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err

    echo "" >> /home/backup/backup-ids.log

    echo "Backing up config files..." >> /home/backup/backup-ids.log rsync -a --delete /data/* /home/backup/files >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err echo "" >> /home/backup/backup-ids.log

    echo "Backing up system files..." >> /home/backup/backup-ids.log rsync -a --delete /usr/local/sbin/* /home/backup/usr/local/sbin/ >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err echo "" >> /home/backup/backup-ids.log

    echo "Backup finished at `date`." >> /home/backup/backup-ids.log


    [backup.sh] ----------------------------- #!/bin/bash

    ## zip & send

    tar -czvf /home/XXXXX.tar.gz /home/backup/*

    ls -alR /home/backup > /home/dirlist.txt

    mail -s "XXXXX Backup Configs" -r backups@domain.net -a /home/XXXXX.tar.gz admin@domain.net < /home/dirlist.txt

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board