Poor Man's intrusion detection/notification

smithware · 08-02-2013, 09:27 PM

Looking for any suggestions, comments, etc...

model: Every two hours I collect some system statistics and they get compared, along with program and file system info, versus the previous collection of information, emailing me with any discrepancies....

cron:
0 3 * * * /usr/bin/rkhunter --update
0 */2 * * * /usr/local/sbin/collector.pl
20 * * * * /usr/local/sbin/ids.sh
30 3 * * * /usr/local/sbin/backup.sh

-----------------------------------------------
[collector.pl]

#!/usr/bin/perl -w

use strict;

my %Cmds;
my $host = qw(XXXXX);
my $user = "root";
my $externalip = "X.X.X.X";

chdir "/data";

my @md5files = qw(/bin/login
/usr/bin/passwd
/bin/ps);

my ($Second, $Minute, $Hour, $Day, $Month, $Year, $WeekDay, $DayOfYear, $IsDST) = localtime(time);

if ($Hour == 8) {
$Cmds{'disk.usage'} = "df -lk";
$Cmds{'packages'} = "yum check-update"; }

$Cmds{'md5sigs'} = "md5sum @md5files";
$Cmds{'suidfiles'} = "find / ! -wholename '/proc*' -type f -perm +6000 |xargs ls -l";
$Cmds{'cron.root'} = "crontab -l -u root";
$Cmds{'nmap'} = "nmap -sS $externalip | egrep -v '^(Nmap|Starting)'";
#$Cmds{'chkroot'} = "/usr/bin/chkrootkit";
$Cmds{'/dev/null'} = "updatedb";
#$Cmds{'/dev/null'} = "/usr/bin/rkhunter --update";
$Cmds{'rootkithunt'} = "/usr/bin/rkhunter -c --no-mail-on-warning --rwo --noappend-log --sk --nocolors";
#$Cmds{'iptables'} = "/sbin/iptables --list";
$Cmds{'listening'} = "netstat -utan | grep -i listen";
#$Cmds{'rootkithunt'} = "cat /var/log/rkhunter/rkhunter.log";

### main loop ###
for my $file (keys %Cmds) {
my $cmd = $Cmds{$file};

### run each command on $host and print the
### output to $file
&run_command($cmd, $file, $host);
}
exit 0;

sub run_command() {
my ($cmd, $file, $host) = @_;

my ($stdout, $stderr, $exit) = system($cmd." > $file");
return;
}

-----------------------------------------------
[ids.sh]

#!/bin/bash

## look for discrepanices

/usr/bin/perl /usr/local/sbin/mail-output.pl --subject "XXXXX.domain.net ETC Change" --recip admin@domain.net "diff -b -B -p -r -I \"Updated\" -X /home/backup/backup-excludes -u /home/backup/etc /etc"

/usr/bin/perl /usr/local/sbin/mail-output.pl --subject "XXXXX.domain.net Config Change" --recip admin@domain.net "diff -a -b -B -p -r -u -I \"The system checks took\" -I \"Host is up\" /home/backup/files /data/"

## copy files

echo "Starting IDS data sync at `date`." > /home/backup/backup-ids.log

echo "" >> /home/backup/backup-ids.log

echo "Backing up /etc/..." >> /home/backup/backup-ids.log rsync -a --delete /etc/ /home/backup/etc/ >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err

echo "" >> /home/backup/backup-ids.log

echo "Backing up config files..." >> /home/backup/backup-ids.log rsync -a --delete /data/* /home/backup/files >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err echo "" >> /home/backup/backup-ids.log

echo "Backing up system files..." >> /home/backup/backup-ids.log rsync -a --delete /usr/local/sbin/* /home/backup/usr/local/sbin/ >> /home/backup/backup-ids.log 2>> /home/backup/backup-ids.err echo "" >> /home/backup/backup-ids.log

echo "Backup finished at `date`." >> /home/backup/backup-ids.log

-----------------------------------------------
[backup.sh]

#!/bin/bash

## zip & send

tar -czvf /home/XXXXX.tar.gz /home/backup/*

ls -alR /home/backup > /home/dirlist.txt

mail -s "XXXXX Backup Configs" -r backups@domain.net -a /home/XXXXX.tar.gz admin@domain.net < /home/dirlist.txt

unSpawn · 08-03-2013, 04:01 AM