j u s t s o m e g u y . c o m

[ h o m e ] [ c o d e ] [ p a n i c _ b u t t o n ]


Name
    
    panic_button: an automated file integrity management system
    built around free veracity

    Author
    
    Steve McNabb steve@justsomeguy.com

    Synopsis
    
    panic_button was designed to allow an automated means of self-
    defense for a machine in production. The basic idea is that
    certain areas of your unix file tree should never change. Things
    like /sbin or /bin should be exactly the same as they were when
    the OS was installed. It is logical to assume, therefore, that
    if anything in any of these directories changes, someone has
    likely rooted your box. If a "panicworthy" change is detected,
    panic_button goes into a panic mode. During the panic phase,
    panic_button will log the cause of the panic, perform some
    reconaissance, email a report to the administrator(s) and kills
    off all of its network interfaces.

    "Hey - doesn't that leave your machine dead in the water?".

    Yes, it does. But if someone managed to root your box on a
    friday evening, would you rather have your server be unavailable
    for (potentially) the whole weekend, or would you rather let
    your cracker have unfettered access to your goodies all weekend?

    Personally, I'd rather field a few grumpy support calls than
    spend a week reconstructing a cracked server.

    Requirements
    
    Free Veracity is used to handle the actual integrity checking.
    It's a very impressive tool for integrity management. It's
    available at http://www.freeveracity.com

    Mail::Mailer for sending the mail - we don't want to use
    ourselves as an smtp server in case the mail doesn't actually
    get sent before the network interfaces get killed! (thanks to
    rhizomatic #perl folks for pointing this out to me - and for all
    their other ideas)

    Installation
    
    Once you have freeveracity set up, you'll need to take some
    snapshots of the directories you plan to monitor. See the
    freeveracity docs for details. You want to put all of your snaps
    in one directory.

    Set the variables in the configuration section to reflect your
    environment. These variables are:

    $these_should_never_change : a ref to a hash of 'critical' paths 
    => snapfile prefixes 
    
    $keep_an_eye_on_these : a ref to a hash of paths => snapfile prefixes to monitor, 
    but not panic over
    
    @panic_report_recipients : who gets sent emails when we hit
    panic mode? 

    @general_report_recipients : who gets sent emails
    about non-critical differences? 

    $snapfiles_dir : where are your snap files? 

    $reportfile : where should I write the log file?
    
    $killswitch : command(s) to run when we hit panic mode - after
    recon 

    $smtp_server : where is your smtp server? DO NOT USE
    LOCALHOST! You want an external server 

    $packetgrab : command(s) to run in order to capture packets for 
    forensics during panic
    
    @other_recon_commands : other commands to run for whatever
    puprpose during panic phase

    $nomail : set this to 1 if you want mail notification turned off
    - for debugging 

    $nokill : set this to 1 if you don't want the killswitch to be run 
    - for debugging

    Once you're configured and you've done a few test modifications,
    just add panic_button to your crontab and bob's yer uncle.