HPE Community
Operating System - HP-UX
1831651 Members
2049 Online
110029 Solutions
New Discussion

Custom HIDS Schedule Not Working As Intended

 
ES UNIX Team
Advisor

‎02-16-2009 08:13 AM

‎02-16-2009 08:13 AM

Custom HIDS Schedule Not Working As Intended

Thanks for having a look at the thread. Responses and inputs are appreciated, as well as rewarded with points.

Currently, we are working on a custom HIDS schedule to monitor changes to two specific file types on one of our systems. Below is the schedule policy being used:

SCHEDULE Our_Policy
GLOBALS
ENDGLOBALS
GROUPPERIOD
NAME Our_Policy
GMT 0
STARTTIME 0:00:0
ENDTIME 23:59:6
GROUP Our_Policy
TEMPLATE read_only
pathnames_to_watch | ^/psoft/tun89tst/sqr/$ | ^/psoft/tun89dev/sqr/$ | ^/psoft/tun89dev/sqr/*\.sqr | ^/psoft/tun89dev/sqr/*\.sqc | ^/psoft/tun89tst/sqr/*\.sqr | ^/psoft/tun89tst/sqr/*\.sqc | ^/psoft/tun89dev/sqr/*\.sqr$ | ^/psoft/tun89dev/sqr/*\.sqc$ | ^/psoft/tun89tst/sqr/*\.sqr$ | ^/psoft/tun89tst/sqr/*\.sqc$
ENDTEMPLATE
ENDGROUP
ENDGROUPPERIOD
ENDSCHEDULE

We intentionally stripped down the schedule to rule out what may or may not have been contributing to the issue. Additionally, we went over the top with attempting to have HIDS monitor the .sqc and .sqr files. In the past, we have tried combinations, etc. but went all out to try and capture the events.

After any changes to the schedule file, we are restarting the idsagent process to force the new schedule. As of now, we are not capturing the changes to the files in the /var/opt/ids/alert.log.

What are we missing or doing wrong? Thanks in advance for the assistance!
0 Kudos
Reply
4 REPLIES 4
Avinash20
Honored Contributor

‎02-16-2009 08:16 AM

‎02-16-2009 08:16 AM

Re: Custom HIDS Schedule Not Working As Intended

Did you go via trobleshooting steps
http://docs.hp.com/en/5991-1162/apgs02.html
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
0 Kudos
Reply
ES UNIX Team
Advisor

‎02-16-2009 08:21 AM

‎02-16-2009 08:21 AM

Re: Custom HIDS Schedule Not Working As Intended

Although the communications between the management server and the system in question have been verified, the changes to the schedule are being made locally. Additionally, there is nothing in place to refresh the schedule on the test system. Hence we know that it is our test schedule that is being utilized after the idsagent restart.
0 Kudos
Reply
ES UNIX Team
Advisor

‎02-16-2009 10:12 AM

‎02-16-2009 10:12 AM

Re: Custom HIDS Schedule Not Working As Intended

One other minor point - the canned HP-UX policies work just fine. For instance ^/etc/passwd$ in the template reports as modified with folks running the 'vipw' command, and all of the user* commands. Hence we know that HIDs is configured correctly and functioning prior to our testing of the custom targets in the schedule.
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎02-17-2009 11:39 AM

‎02-17-2009 11:39 AM

Re: Custom HIDS Schedule Not Working As Intended

I believe your regular expressions are not matching the pathnames of the files you want monitored. For example, you have "/*" in several places that will match 0 or more forward slashes. You probably meant to use "/.*" instead to match 0 or more characters after the forward slash. Also, to monitor any file in a directory, you should not use the $ delimiter. So, entries should be as follows:

^/psoft/tun89dev/sqr/.*\.sqr (insert extra dot before *)
^/psoft/tun89tst/sqr/ (remove $ to match any file under dir)

See http://docs.hp.com/en/5992-5843/apas02.html for examples as well as the regexp(5) man page.

Pierre
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.