HPE Community
Operating System - HP-UX
1833536 Members
3130 Online
110061 Solutions
New Discussion

HIDS custom template automation

 
TheJuiceman
Super Advisor

‎04-29-2008 11:28 AM

‎04-29-2008 11:28 AM

HIDS custom template automation

Hey gang,

How can I have a custom HIDS template that I would like to have startup on each of my clients whenever they are rebooted. I'd also like the cell server to start collecting information when it is rebooted. How can this be done? Also, is there a way to set up reporting without having to use the GUI interface? Thanks.
0 Kudos
Reply
4 REPLIES 4
varap
Occasional Advisor

‎04-30-2008 03:30 AM

‎04-30-2008 03:30 AM

Re: HIDS custom template automation

Hi,

>> How can I have a custom HIDS template that I would like to have startup on each of my clients whenever they are rebooted.

Whenever HIDS is configured and run on a host, it sets IDS=1 in the "/etc/rc.config.d/ids" which will be checked during every reboot of the host and starts HIDS automatically with the previous configuration it was running if IDS value is set to 1.

>> I'd also like the cell server to start collecting information when it is rebooted.How can this be done?

I am not sure if I understood your requirement clearly, but I am trying to answer it here. If your requirement is to collects HIDS alerts from various clients by a HIDS admin server ( cell server ), then it is possible with the centralized logging mechanism HIDS supports. Please let me know if I haven't understood your requirement correctly.

>> Also, is there a way to set up reporting without having to use the GUI interface?

Are you referring to the generation of off-line reports from the HIDS alerts ?. If so, yes, it is possible to do it using "idsadmin" which is an command line interface. Please go through the HIDS v4.1 admin guide for more details. Indeed GUI interface doesn't support generating such reports currently, which might be able to do the same thing in the future releases.

If you are referring to reporting of (sometimes near ) real time HIDS alerts, they are reported to GUI interface or idsadmin ( command line interface ) and also logged into /var/opt/ids/alert.log.

Hope this helps.


0 Kudos
Reply
Court Campbell
Honored Contributor

‎04-30-2008 05:47 AM

‎04-30-2008 05:47 AM

Re: HIDS custom template automation

I am not sure what you mean by custom template. You can choose to use the templates taht are provided and customize them, but as for creating a new template that does something the defaults don't do -- good luck!

What you are calling the cell server only does collection from the host two ways:

1. by running idsgui
2. by running idsadmin

Basically the host agents store the info locally and when one of the aforementioned commands is run the management server then pulls that info from the host. I can't say that I have been a fan of that.

To get reports you can set a cron job that runs the command as follows:

/opt/ids/bin/idsadmin -r --alert-severities critical,severe -a --report-type perhost --email-to email_addr@domain.com >/dev/null 2>&1

I usually just run the report every monday morning. You could keep the idsgui open for continuous collection, but you would need to kill it when generating reports.

I think the biggest thing is just making sure to choose things to monitor that make sense for your environment. If you don't your logs will grow quickly. Also, I would suggest backing up your schedules, etc. before you edit them. The gui doesn't do any taint checking, and you may find that you edit a file, save it, and then the next time you run idsgui it starts spitting out errors about your schedule. In my particular instance I had two semicolons in an entry that borked the whole thing.

Anyway, good luck!
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
TheJuiceman
Super Advisor

‎04-30-2008 08:22 AM

‎04-30-2008 08:22 AM

Re: HIDS custom template automation

I guess my question is this...

- How can I enable my custom script to run on the clients agents when either the client or the manager servers are rebooted? I see where you can run something like "idsadmin --activate custom.txt -a host" to start up the script on the manager server for a particular host. How do you get this to startup at reboot? And what is the best way to have the HIDS manager look for rebooted boxes so this can be started again for that rebooted server?

- Is there a way to have alerts that HIDS detects go to an email address?

- Can all of this be administrated without the use of the GUI?

Thanks again for the help.
0 Kudos
Reply
Court Campbell
Honored Contributor

‎04-30-2008 08:30 AM

‎04-30-2008 08:30 AM

Re: HIDS custom template automation

IDS should start at boot automatically. As mentioned before having

IDS=1

in /etc/rc.config.d/ids sets the ids agents to run at startup. To run custom scripts you need to place them under /opt/ids/response on the hosts. any scripts in that directory will get run when an alert is triggered. You can read more about scripting in the HIDS manual at docs.hp.com.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.