[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: WWW Gaffiti Immunity (Off Topic)
From:       The Unseen <ian () south-border ! com>
Date:       1997-01-01 17:28:52
[Download RAW message or body]


Corrected an obvious error... 8-)  here's the latest one.
please let me know if you find other errors....

Ian

--------------

#!/usr/local/bin/perl
#
# The purpose of this script is to help secure our WWW files
# from grafitti.  We are going to use tripwire to help us keep
# track of file signatures and alert us when there are major
# inconsistancies that may result from someone trying to hack
# our site.
#
# Ideal config consists of a WWW server mounting via NFS the
# document tree.  This script is intended to be run on the
# NFS server.
# 
# Feel free to distribute and/or alter this script as needed.
# But be kind and email me the changes...  ian@south-border.com

package WWWcheck;

$Alert=0;
@SendData=();
$DoBoth=0;
$DoNFS=0;
$DoRmHttp=0;

# Specify the email address of the admin you want information
# mailed to.
$AdminUser="securityuser";

# Specify the metheod of emailing.
$SendmailCMD="/usr/lib/sendmail -t";

# The following variables define where tripwire is.  Specify
# the correct database and config files to be given to tripwire
# as options.  Tripwire will run in quiet mode to eliminate
# pass babble.
$TripCMD="/place/to/bin/tripwire";
$TripDatabase="/place/to/tripwire/www.database";
$TripConfigFile="/place/to/tripwire/WWW.conf";

# If your WWW server mounts it's document tree via NFS from
# a hardened server and this script and tripwire run on the
# NFS server, set DoNFSshare to 1.  This will unshare the NFS
# directory after a grace period defined below.
$DoNFSshare=1;
$NFSunsharecmd="/usr/sbin/unshare";
$NFSwwwdir="/place/to/real/NFS/server/WWW";

# Change this to 1 to kill the httpd server remotely based on
# the outcome of tripwire.  Be sure to review RemoteHttpKill,
# RemoteHost, and RemoteCMD.  I like ssh because of the key
# exchange.
$DoRemoteKill=0;

# These are used when DoRemoteKill is set to 1
$RemoteCMD="/opt/PUBsshd/bin/ssh";
$RemoteHost="WWW";
$RemoteHttpKill="/etc/init.d/httpd stop";

# This defines how long to wait gracefully before proceeding
# with killing the httpd server and NFS server.  
$SleepTime="sleep 3600";

#<----you do not need to change anything below here--->

# Issue tripwire command with options.  Compile a list of 
# changes that have occured from the last update of the
# tripwire database.  Save these modifications to be sent
# as a notification to the admin.
sub BuildTripDatabase
{
	open(Tripdata,"$TripCMD -d $TripDatabase -c $TripConfigFile -q|");
	while(<Tripdata>) {
		split;
		chop;
		push(@SendData,$_);
	}
}


sub AlertAdmin
{
	if(@SendData == " ") {
		return;
	}

	open(ALERT,"|$SendmailCMD");
	print ALERT "To:$AdminUser\n";
	print ALERT "cc:\n";
	print ALERT "subject: WWW server Document tree\n";
	print ALERT "-------\n";
	print ALERT "Has changed since the last tripwire database update.  Here\n";
	print ALERT "is a summery of the output from tripwire run at \n\n\n";
	for(@SendData) {
		print ALERT "$_\n";
	}
	print ALERT "\nThe following actions will be taken...\n\n";

	if($DoNFSshare == '1' && $DoRemoteKill == '1') {
		print ALERT "Your WWW server mounts it's document tree via NFS from\n";
		print ALERT "this server and you have elected to kill the remote httpd\n";
		print ALERT "daemon running on the WWW server.  The following command will\n";
		print ALERT "issued:\n\n";
		print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)\n\n";
		close(ALERT);
		$DoBoth=1;
		return;
	}
	if($DoNFSshare == '1') {
	#	print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir 2>1 &`;
		print ALERT "Your WWW server is mounting it's document tree via an NFS\n";
		print ALERT "server which is this host according to variables set.  The\n";
		print ALERT "following command will be issued:\n\n";
		print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir\n\n";
		$DoNFS=1;
	}

	if($DoRemoteKill == '1') {
	#	print  STDERR `$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill) &'`;
		print ALERT "According to our options you have elected to disable httpd\n";
		print ALERT "service on the WWW server.  the following command will be\n";
		print ALERT "issued:\n\n";
		print ALERT "$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill)\n\n";
		$DoRmHttp=1;
	}
	if($DoNFSshare == '0' && $DoRemoteKill == '0') {
		print ALERT "Although we have detected differences that may indicate an\n";
		print ALERT "attack, options set tell us that we are to take no action\n";
		print ALERT "in response.  YOU MUST CHECK to see if this is really the\n";
		print ALERT "intended reaction to the tripwire output!\n\n";
	}
	close(ALERT);
}

sub PerformKill 
{
	if($DoBoth) {
		print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`;
		return;
	}

	if($DoNFS) {
		print STDERR `($SleepTime ; $NFSunsharecmd $NFSwwwdir)`;
	}

	if($DoRmHttp) {
		print  STDERR `$SleepTime ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`;
	}
}
	

sub main
{
	&BuildTripDatabase();
	&AlertAdmin();
	&PerformKill();
}

package main;

&WWWcheck'main();

[prev in list] [next in list] [prev in thread] [next in thread]