Poor man’s IDS… part 3 – collector.pl

This is the data collector.  You can expand it to add many different commands and types of data collection.  All of the files are created in the /data directory.

#!/usr/bin/perl -w
use strict;

# Program: collector.pl, v2.2 2020-03-08
#
# Michael Smith (mike@smithware.net)
#

## setup variables
my %Cmds;
my $host = qw(hostname.com);
my $user = “root”;
my $externalip = “www.xxx.yyy.zzz”;

chdir “/data”;

## files to be hashed
my @md5files = qw(/bin/login
/usr/bin/passwd
/bin/ps);

my ($Second, $Minute, $Hour, $Day, $Month, $Year, $WeekDay, $DayOfYear, $IsDST) = localtime(time);

## run these commands and put the results into the files
## $Cmds{‘filename’} = “command”;
$Cmds{‘md5sigs’} = “md5sum @md5files”;
$Cmds{‘suidfiles’} = “find / ! -wholename ‘/proc*’ -type f -perm /6000 |xargs ls -l”;
$Cmds{‘cron.root’} = “crontab -l -u root”;
$Cmds{‘nmap’} = “nmap -sS $externalip | egrep -v ‘^(Nmap|Starting)'”;
$Cmds{‘listening’} = “netstat -utan | grep -i listen”;
## moved from rc.firewall to apf
#$Cmds{‘iptables’} = “/sbin/iptables –list”;

## security audits
## full report
$Cmds{‘rootkithunt’} = “/usr/bin/rkhunter -c –no-mail-on-warning –noappend-log –sk –nocolors”;
$Cmds{‘lynis’} = “lynis audit system –no-colors”;
#$Cmds{‘chkroot’} = “/usr/bin/chkrootkit”;
## warnings only
#$Cmds{‘rootkithunt’} = “/usr/bin/rkhunter -c –no-mail-on-warning –rwo –noappend-log –sk –nocolors”;
#$Cmds{‘lynis’} = “lynis audit system –warnings-only –no-colors”;

## https://www.rfxn.com/
$Cmds{‘apf_status’} = “apf -t”;
$Cmds{‘lsm’} = “/usr/local/sbin/lsm -c”;
$Cmds{‘sim’} = “/usr/local/sbin/sim -s”;

## updated as part of cron.daily
#$Cmds{‘/dev/null’} = “/usr/bin/rkhunter –update”;
#$Cmds{‘/dev/null’} = “updatedb”;

## once a day, at 2am, run this command – Malware Detection
## uses LMD, a great package from https://www.rfxn.com/
if ($Hour == 2) {
    $Cmds{‘brutforce’} = “/usr/local/sbin/bfd -a; bfd -s”;
    $Cmds{‘maldet’} = “/usr/local/sbin/maldet -r / 2 > maldet”;
    $Cmds{‘apf’} = “/usr/local/sbin/apf -l”;
}

## once a day, at 8am, run these commands – disk size and updated packages
if ($Hour == 8) {
    $Cmds{‘disk.usage’} = “df -lk”;
    $Cmds{‘packages’} = “dnf check-update”;
}

## main loop ###
for my $file (keys %Cmds) {
    my $cmd = $Cmds{$file};

    ## run each command on $host and print the
    ## output to $file
    &run_command($cmd, $file, $host);
}
exit 0;

sub run_command() {
    my ($cmd, $file, $host) = @_;

    my ($stdout, $stderr, $exit) = system($cmd.” > $file”);
    return;
}

Leave a Reply

Your email address will not be published.