https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458697#M13331 Thanks Paula Tue, 31 Oct 2000 18:07:38 GMT Paulo Afonso Bruno 2000-10-31T18:07:38Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458687#M13321 Hi to all.<BR /><BR />I am looking at writing a script that will on being run FTP copies of system log files to another server. So that in the event of a security problem I can concentrate on fixing and bring the attacked sever back on line and then later do an offline investigation.<BR /><BR />Well guys/gals what are your thoughts on this? <BR /><BR />Is it feasible to set up a list of all the files that may show an intruders footsteps? <BR /><BR />And if so which file do you include - some are very obvious (wtmp,btmp,syslog etc)but what are the less obvious?<BR /><BR />Awaiting your ideas- <BR />Paula<BR /> Fri, 27 Oct 2000 10:26:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458687#M13321 Paula J Frazer-Campbell 2000-10-27T10:26:45Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458688#M13322 You can use /var/adm.inetd.sec to restrict access to your system. It provides additional security.<BR />Also check /var/adm/sulog. Fri, 27 Oct 2000 11:06:22 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458688#M13322 CHRIS_ANORUO 2000-10-27T11:06:22Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458689#M13323 Hi Paula,<BR />Your problem will be as follows:<BR />If someone gets into the system, he/she will always try to wipe their prints. So depending on what level of access they get to you system will basically determine how well they can wipe their prints. Most damaging obviously being root.<BR /><BR />Besides they few obvious ones like wtmp,btmp,etc you should consider copieng some of these files as well:<BR />passwd<BR />shell history commands<BR />acct files<BR />crontab - yes nice way to reinstate access<BR />syslog<BR />maillog<BR />nettlogs<BR /><BR />This list might vary a lot depending on the setup of your system<BR />Like: is accounting enabled?<BR />are you running a secure system ?<BR />etc<BR /><BR />Hope you find some info to be usefull.<BR /> Fri, 27 Oct 2000 11:40:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458689#M13323 Ossie de Jongh 2000-10-27T11:40:31Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458690#M13324 Hi and thanks to Chris and Ossie so far.<BR />- points will be awarded.<BR /><BR />The list so far is:-<BR /><BR />1. wtmp<BR />2. btmp<BR />3. utmp<BR />4. utmpx<BR />5. syslog.log<BR />6. passwd<BR />7. groups<BR />8. shell history<BR />9. mail.log<BR />10. netlogs<BR />11. sulog<BR />12. inetd.sec<BR />13. crontab<BR /><BR />Now the list is mainly log files, how about.<BR /><BR />ll ?R |grep ?ATTACK_DATE? &gt;attacked <BR /><BR />and this file included in the routine?<BR /><BR /> Fri, 27 Oct 2000 14:01:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458690#M13324 Paula J Frazer-Campbell 2000-10-27T14:01:05Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458691#M13325 There is a SW app called Tripwire that will keep tabs on what has been modified. You can configure the files it is to watch and it can tell you if changes have occurred.<BR /><BR />Can be obtained from the COAST security site. Fri, 27 Oct 2000 14:18:51 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458691#M13325 Rick Garland 2000-10-27T14:18:51Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458692#M13326 Thanks Chris Ossie and Nick,<BR /><BR />Points have been awarded.<BR /><BR />Best wishes <BR />Paula Tue, 31 Oct 2000 08:54:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458692#M13326 Paula J Frazer-Campbell 2000-10-31T08:54:21Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458693#M13327 Rick <BR /><BR />do you know what is internet address this sw ( SW Tripwire ) ? <BR /><BR />thank?s <BR />Paulo Tue, 31 Oct 2000 17:51:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458693#M13327 Paulo Afonso Bruno 2000-10-31T17:51:21Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458694#M13328 Rick <BR /><BR />do you know what is internet address this sw ( SW Tripwire ) ? <BR /><BR />thank?s <BR />Paulo Tue, 31 Oct 2000 17:51:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458694#M13328 Paulo Afonso Bruno 2000-10-31T17:51:38Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458695#M13329 Rick <BR /><BR />do you know what is internet address this sw ( SW Tripwire ) ? <BR /><BR />thank?s <BR />Paulo Tue, 31 Oct 2000 17:52:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458695#M13329 Paulo Afonso Bruno 2000-10-31T17:52:06Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458696#M13330 Hi<BR />Address for tripwire is<BR /><A href="http://www.tripwiresecurity.com/products/" target="_blank">http://www.tripwiresecurity.com/products/</A><BR /><BR /> Tue, 31 Oct 2000 17:55:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458696#M13330 Paula J Frazer-Campbell 2000-10-31T17:55:25Z https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458697#M13331 Thanks Paula Tue, 31 Oct 2000 18:07:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-script/m-p/2458697#M13331 Paulo Afonso Bruno 2000-10-31T18:07:38Z