Re: Monitor file deletion without turning on auditing

Rudy Smith_2 · ‎08-01-2008

Hi folks,

I am trying to find a reliable and secure means to monitor application file removal by system users without turning on accounting on the server.

I can easily monitor this in the $HOME/.sh_history file but knowledgable users can easily manipulate this information. So far I have added the follwoing to the $HOME/.profile of my test user:

HISTFILE=/var/adm/crash/history/.sh_history.$LOGNAME
readonly HISTFILE
export HISTFILE
print -s "LOGIN - `date '+%m-%d-%E-%H:%M'`"
HISTSIZE=1000
export HISTSIZE

This provides me limited control but understanding that the .sh_history file is not intended for this I would like to pursue alternatives. Any suggestions would be greatly appreciated.

Tim Nelson · ‎08-01-2008

You can look at HP HIDS.

Although way over kill as intrusion detection you may kill two birds with one stone.

1) An intrusion detection implementation.
2) You can define your application files as files to monitor in HIDS. An alert will be sent if based on the rules.

Not saying this will work but may be worth looking into.

Another secret :) trick. mv the "rm" command and replace it with your script.
e.g.

#!/usr/bin/ksh
# My rm script. Actual rm is rm.real.
echo "$LOGNAME executing rm $*">>my_security.log
/usr/bin/rm.real $*

You will have to remove and put your script back whenever you apply patches to rm.

Steven Schweda · ‎08-01-2008

And I'm trying to drive my car without buying
fuel. I'd also like to build a new garage
without using any tools.

Isn't the accounting system designed to do
exactly what you say you want to do? As you
observe, these history-file schemes are not
reliable.

> [...] mv the "rm" command and replace it
> with your script.

And no one will figure out how to evade that
one, either. Right. Especially users who
have permission to remove these files about
which you care so much.

Lacking any explanation for why you "would
like to pursue alternatives", my suggestion
would be to use the superior method, to which
you're seeking alternatives.

Rudy Smith_2 · ‎08-01-2008

Steven, the accounting system is far from superior for my needs. Its difficult to comprehend and logs much more information than I currently need. Also, mapping a 'rm' command to something useful in the logs is ridiculous. I wouldnt be asking this question if the accounting system was actually useful for something so simple. Maybe you can point me to a comprehensive guide that will show me how to obtain the information that I am looking for in the accounting system. I have spent much time trying various syscalls etc to no avail.

Steven Schweda · ‎08-01-2008

> Aug 1, 2008 21:19:49 GMT 0 pts

You apparently aren't interested in my help,
but have you looked at "man 5 audit"?
"delete" seems to be one of the "Event
Categories" described there.

On a VMS system, it's possible to add an
audit ACE to an object's ACL, so this sort of
tracking is pretty easy there, on specific
files or whole classes of objects. Perhaps
it's all much more complicated on HP-UX.

Anshumali · ‎08-01-2008

HP HIDS, with agent installed on client, is a robust tool to achieve your objective and its available without charge.Its a centrally managed solution.

I have never used but i hope u can have a look at Tripwire, part of Internet Express....

Dreams are not which you see while sleeping, Dreams are which doesnt allow you to sleep while you are chasing for them!!

Srimalik · ‎08-01-2008

using you customised rm program/command instead of the standard seems to be a good idea if you dun want to use HIDS or any kind of auditing.

abandon all hope, ye who enter here..

Rudy Smith_2 · ‎08-04-2008

Stephen, thanks for your input. I'm going to look into the auditing susbystem and the usage of audisp a little further. Maybe I can reduce the amount of logged events to keep my logfiles at a manageable level.

Anshumali, thanks for the suggestions. I will review those options.

Rudy Smith

Rudy Smith_2 · ‎08-04-2008

Stephen, i've been playing with the create and delete events in the auditing configuration and they do not capture file creation and deletion. I've verified this via 'audisp -u username -e delete '

You suggested that this works. Can you please provide me the specifics about the configuration that you used to get this to work?

Rudy Smith_2 · ‎08-04-2008

Can no one help? I've been testing all day. Am I the only person that considers the hpux auditing to be useless for my purpose? I've done a variety of commands with a variety of different auditing events enabled but I have yet to get any useful detail from audisp. I mkdir and rmdir but no directory name. I now see 'close' when I create and rm a file. Is this as granular as the auditing gets?

Please help

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Monitor file deletion without turning on auditing

Monitor file deletion without turning on auditing