Listing 1
#!/bin/csh -f
# James W. Meritt
# program to check for changed files
#
# programs used by this script
setenv AWK /bin/awk
setenv ECHO /usr/ucb/echo
setenv FGREP /bin/fgrep
setenv CAT /bin/cat
setenv SORT /bin/sort
setenv RM /bin/rm
setenv TOUCH /usr/ucb/touch
setenv FIND /bin/find
setenv LS /bin/ls
setenv DIFF /bin/diff
# the source directory of the NIS watch program
setenv HOMEDIR /home/tamper
# location of configuration/control files/tables that contain the information
set CRONTAB=/usr/spool/cron/crontabs/root
set INETD=/etc/inetd.conf
# temporary files
set TMPFILE1="/tmp/tmp1`date +%M%S`"
set TMPFILE2="/tmp/tmp2`date +%M%S`"
set NODEFILE="/tmp/node`date +%M%S`"
set NISFILE="$HOMEDIR/nisdata/nis.`date +%m%d%S`"
# setup to mail the results
set MAILFILE="/tmp/mail`date +%M%S`"
setenv MAILER /usr/ucb/mail
setenv MAILTO JWMeritt@aol.com
# start mail file with the header
$ECHO "~s Network tamper check" > $MAILFILE
$ECHO Comparing the most recent long listing of the vital files with the
earliest
one. >>
$MAILFILE
$ECHO "The lines marked by < are in the earliest but not in the most recent."
>>
$MAILFILE
$ECHO "The lines marked by > are in the most recent but not the earliest. " >>
$MAILFILE
rup | /bin/awk '{ print $1 }' | sort -u | grep -v Sending > $NODEFILE
set NODES="`cat $NODEFILE`"
foreach NODE (`cat $NODEFILE`)
$ECHO "............................................................." >>
$MAILFILE
# the database of files for a particular system
set SNAPSHOT="$HOMEDIR/snapshots/$NODE/snapshot.`date +%m%d%S`"
$TOUCH $SNAPSHOT
set LAST = `ls $HOMEDIR/snapshots/$NODE/snapshot.* | tail -1`
set PREVIOUS = `ls $HOMEDIR/snapshots/$NODE/snapshot.* | tail -2 | head
-1`
set NODETMP="$HOMEDIR/configuration/$NODE.files.tmp"
$ECHO performing file watch across network to $NODE >> $MAILFILE
if (-f $HOMEDIR/configuration/$NODE.files) then
# This takes a snapshot of the files identified in the file system.files
# and places it into the snapshots directory
foreach FILE (`$CAT $HOMEDIR/configuration/$NODE.files`)
rsh $NODE $LS -l $FILE >> $SNAPSHOT
end
$ECHO "Comparing $LAST to $PREVIOUS" >> $MAILFILE
$DIFF $PREVIOUS $LAST >> $MAILFILE
if ( "$PREVIOUS" != "$LAST" ) then
# only one file. keep it
echo "removing $PREVIOUS" >> $MAILFILE
/bin/rm $PREVIOUS
endif
else
$ECHO "$NODE not previously set up" >> $MAILFILE
# the following is to perform the configuration/setup of a particular system
# for monitoring
#get the default list
cp $HOMEDIR/defaults/default.files $NODETMP
#look through the system for configuration, dot,... files
#find on .???*
rsh $NODE $FIND / -xdev -name "\.\?\?\?\*" -print >> $NODETMP
#find on conf
rsh $NODE $FIND / -xdev -name "\*\.conf" -print >> $NODETMP
#find on rc
rsh $NODE $FIND / -xdev -name "\*rc" -print >> $NODETMP
#find on tab
rsh $NODE $FIND / -xdev -name "\*tab" -print >> $NODETMP
#find on profile
rsh $NODE $FIND / -xdev -name "\*profile\*" -print >> $NODETMP
#find on cshrc
rsh $NODE $FIND / -xdev -name "\*cshrc\*" -print >> $NODETMP
#find on host
rsh $NODE $FIND / -xdev -name "\*hosts\*" -print >> $NODETMP
#the rc files
rsh $NODE $LS /etc/rc2\*/\* >> $NODETMP
#go through identified setups...
# get the candidates fron the crontab
$ECHO $CRONTAB > $TMPFILE1
$CAT $CRONTAB | $AWK '{for (i=6;i<NF;i++) printf("%s \n", $i)}' >>
$TMPFILE1
# get the candidate from the inetd configuration file
$ECHO $INETD >> $TMPFILE1
$CAT $INETD | $AWK '{for (i=6;i<NF;i++) printf("%s \n", $i)}' >>
$TMPFILE1
# uniquely sort the list and remove the lines with special characters
$SORT -u $TMPFILE1 > $TMPFILE2
$RM $TMPFILE1
$FGREP -v -f $HOMEDIR/defaults/special.characters $TMPFILE2 >
$TMPFILE1
# examine the list for files
foreach CANDIDATE (`$CAT $TMPFILE1`)
if (-f $CANDIDATE) then
$ECHO $CANDIDATE
endif
end
$HOMEDIR/used.files >> $NODETMP
$ECHO "clean up the list..."
$SORT -u $NODETMP | $FGREP -v -f $HOMEDIR/defaults/notneed.files >>
$HOMEDIR/configuration/$NODE.files
$RM $NODETMP
$ECHO "The files to check are in >> $HOMEDIR/configuration/$NODE.files"
>>
$MAILFILE
#Creating directory for snapshot
mkdir $HOMEDIR/snapshots/$NODE
$ECHO "taking first snapshot of system" >> $MAILFILE
# This takes a snapshot of the files identified in the file system.files
# and places it into the snapshots directory
foreach FILE (`$CAT $HOMEDIR/configuration/$NODE.files`)
$LS -l $FILE >> $SNAPSHOT
end
endif
end
echo "_____________________________________________" >> $MAILFILE
foreach HOST ( $NODES )
echo "checking for new executable items selected directories on $HOST "
>>
$MAILFILE
rsh $HOST find /bin -mtime 1 -ls | grep x >> $MAILFILE
rsh $HOST find /etc -mtime 1 -ls | grep x >> $MAILFILE
rsh $HOST find /usr/ucb -mtime 1 -ls | grep x >> $MAILFILE
rsh $HOST find /usr/local -mtime 1 -ls | grep x >> $MAILFILE
rsh $HOST find /usr/bin -mtime 1 -ls | grep x >> $MAILFILE
rsh $HOST find /usr/sbin -mtime 1 -ls | grep x >> $MAILFILE
rsh $HOST find /usr/ucb -mtime 1 -ls | grep x >> $MAILFILE
end
echo "_____________________________________________" >> $MAILFILE
$ECHO "Check the NIS plus database" >> $MAILFILE
# put the nis queries here
niscat passwd.org_dir > $NISFILE
niscat hosts.org_dir >> $NISFILE
set NISPREVIOUS = `ls $HOMEDIR/nisdata/nis.* | tail -2 | head -1`
diff $NISPREVIOUS $NISFILE >> $MAILFILE
if ( "$NISPREVIOUS" != "$NISFILE" ) then
# only one file. keep it
echo "removing $NISPREVIOUS" >> $MAILFILE
/bin/rm $NISPREVIOUS
endif
echo "_____________________________________________" >> $MAILFILE
$MAILER $MAILTO < $MAILFILE
$RM $MAILFILE
$RM TMPFILE1
$RMTMPFILE2
$RM $NODEFILE
---------------------------------------------------------------------
|
