This morning after waking up, I decided to take a little stroll through the system logs at a webserver I am responsible for. I receive little pay for this, but I get free use of a fast server for personal and development purposes. So what did I find in the logs? Somebody tarballing and transfering my home dir! and some other things they shouldn't be fondling. So, I needed a quick way to alert me to further violations. I really didn't feel I had time to look for a utility for this, I needed something yesterday. So, I fired up emacs...
This script watches a file to see if it is accessed or modified. If it is either accessed or modified, it first sends an email to me, including the name of the file changed, and the output from who(1). Next, it uses wall(1) to notify the person that their accesses are not going unnoticed.
#!/usr/bin/perl -w
use strict;
use warnings;
use Mail::Sendmail;
@ARGV == 1 or die "usage: $0 watchfile";
my $watchfile = $ARGV[0];
print "watching $watchfile.\n";
my $pid = fork();
unless ( $pid ) {
my $access_time = (stat($watchfile))[8];
my $modify_time = (stat($watchfile))[9];
while( sleep 5 ) {
unless( $access_time == (stat($watchfile))[8] ) {
print "ACCESS CHANGED!!\n";
tripwire( $watchfile, "accessed" );
$access_time = (stat($watchfile))[8];
}
unless( $modify_time == (stat($watchfile))[9] ) {
print "MODIFY CHANGED!!\n";
tripwire( $watchfile, "modified" );
$modify_time = (stat($watchfile))[9];
}
}
}
sub tripwire {
my $file = shift || "unknown";
my $what = shift || "unknown";
my %mail = ( To => 'pariss@efn.org',
From => 'Aighearach@makeyourbanner.com',
Subject => 'SECURITY VIOLATION!!!',
Message => "SECURITY VIOLATION!!! $file $what\n".`who`
);
sendmail(%mail);
`wall 'what the hell are you doing\? --AUTOMATED (report generated
+)'`;
}
Paris Sinclair | 4a75737420416e6f74686572
pariss@efn.org | 205065726c204861636b6572
http://sinclairinternetwork.com