topic Re: Tracking changes to the OS in Operating System - HP-UX

Tracking changes to the OS

Evans Kelley — Thu, 19 Sep 2002 15:51:42 GMT

Hello all,

We are running HP-UX 10.20/11.00 and would like to know if there is a way to monitor or log when changes are made to the system OS. One example is say like; a script that checks and sees if there are any changes to file, permissions and directories sizes. If so a message (email) is sent out saying no ignite needed. Another Example; if someone logins in and changes permissions to a file or directory (that they have access to) is there a way that we as admin can quickly tell who and what was changed?

Thanks in advance,
Evans

Re: Tracking changes to the OS

Pete Randall — Thu, 19 Sep 2002 15:55:09 GMT

You need to look into check_recovery, I think.

man check_recovery

Pete

Re: Tracking changes to the OS

Shannon Petry — Thu, 19 Sep 2002 16:08:31 GMT

HP has a product called IDS/9000, which does what ou want. There are also some freeware products like "Bigbrother" , SNORT, and more.

The HP tools are nicest of course as they plug into the OS flawlessly, and have lots of flexibility.

I have found most freeware products to be just as flexible, if not more, but much more difficult to configure.

regards,
Shannon

ps. search on the internet for "unix intrusion detection" for more tools

Re: Tracking changes to the OS

Anil C. Sedha — Thu, 19 Sep 2002 16:11:47 GMT

Evans,

For your first point, i agree with pete that you run check_recovery as it will compare your system with the status of the last make_recovery command.

Also for your second question, i would suggest you to create a script that would search the /var/adm/syslog/syslog.log file to find messages based on "chown", "chmod", "rm" etc, whatever you are looking for. You can take the output to another file and find if there was any critical work done.

If you like the answers, don't forget to assign points.

Regards,
Anil

Re: Tracking changes to the OS

James R. Ferguson — Thu, 19 Sep 2002 16:18:40 GMT

Hi Evans:

As I recall, it was rumored (announced?) that it is quite probable that the 'check_recovery' function in Ignite will be obsolesced.

Regards!

...JRF...

Re: Tracking changes to the OS

Jeff Schussele — Thu, 19 Sep 2002 16:25:49 GMT

Hi Evans,

HP has a support product for their BCS & CSS support level customers called HAO - High Availability Observatory - which can track changes in the OS & report to either HP, the customer or both.

Note: HAO will be migrated to ISEE Advanced - Instant Support Enterprise Edition - in 2003.

But if you have that level of support it's worth looking at as it's a free product/service.

Rgds,
Jeff

Re: Tracking changes to the OS

Evans Kelley — Thu, 19 Sep 2002 19:14:59 GMT

All,

Thanks again everyone for you quick reply???s. After discussing this with my boss in which he could swear that there is a make_recovery (ignite) type of command which is what we are looking for, (monitor or logging of changes to all file system on /). Anyone heard of this and if they have what the commands do.
Thanks again for the above responses.
Evans

Re: Tracking changes to the OS

Rodney Hills — Thu, 19 Sep 2002 19:18:33 GMT

Monitoring of changes to files in a real time mode requires you configure your system as a "trusted system".

A "trusted system" has other implications that you should consider (like not able to use NIS/LDAP). Information in /etc/passwd moved to other locations.

HTH

-- Rod Hills

Re: Tracking changes to the OS

James R. Ferguson — Thu, 19 Sep 2002 19:49:10 GMT

Hi Evans:

Another product you might look at is 'tripwire':

"Tripwire for Servers automatically verifies data and file integrity against a known good source file in the Tripwire database and quickly notifies you of changes."

http://www.tripwire.com/products/servers/

Regards!

...JRF...

Re: Tracking changes to the OS

Shannon Petry — Thu, 19 Sep 2002 19:54:03 GMT

Well, if it's for intrusion detection I would not recommend the make_recovery. It is very easy for a hacker to omit his entries from syslog, and try to hide his tracks. It is also easy for coders to fill binaries with nuthing to get them the same size as the original before yours are spoofed. a simple touch newbinary and make recovery does not know..

Intrusion detection may be overkill, but if your worried about it make_recovery is not even close to the product you need. It does not email/page you if things change, and while you could script it, some files are meant to be changed, so you will be plagued with false alarms till you make an omit list.

Regards,
Shannon

Re: Tracking changes to the OS

Jeff Schussele — Thu, 19 Sep 2002 20:02:28 GMT

Hi (again) Evans,

The check_recovery command IS a part of the Ignite make_recovery process.

If you use the -C option of make_recovery it will make a sort of DB of the Core OS file in /var/opt/ignite/recovery/makrec.last file.
Note this file must exist before the make_recovery is run.
You can also specify "other" files in a /var/opt/ignite/recovery/makrec.append file if you want to include any non-core OS files

BUT NOTE that this functionality is going to be phased out down the road & I'm not sure if this functionality is even included in the newer make_tape_recovery command.

Rgds,
Jeff

Re: Tracking changes to the OS

Evans Kelley — Thu, 19 Sep 2002 20:43:57 GMT

Thanks again everyone for your input and suggestions.