HPE Community
Operating System - HP-UX
1855870 Members
12627 Online
104107 Solutions
New Discussion

IDS/9000 tweaking

 
SOLVED
Go to solution
Terrence
Regular Advisor

‎09-29-2003 06:38 AM

‎09-29-2003 06:38 AM

IDS/9000 tweaking

One of the default actions by IDS/9000 is to watch /var/adm/wtmp for modifications. It's supposed to be append only. However fairly frequent it's reporting that the file is opened by user 0 for modification/truncation.

Yet I know that no one is logging on to that server. Does anyone know of any other action that might modify wtmp?
0 Kudos
Reply
1 REPLY 1
Pierre Pasturel
Respected Contributor

‎10-02-2003 06:19 AM

‎10-02-2003 06:19 AM

Solution

Re: IDS/9000 tweaking

I just want to verify that the alert itself is saying "UNKNOWN" program, yes? If so, try the following in this order:

1) Try running "ps -ef |grep " where is the process ID in the alert. Hopefully the process is persistent.

2) With the schedule you are running in /var/opt/ids/schedule, reboot the system, at which time the agent will automatically restart with that schedule and hopefully you will see the alert again, this time with the name of the program doing the modification.

The reason why the agent is displaying "UNKNOWN" for the program is because the schedule was started AFTER the program was exec-ed, so the agent can't map the pid to the program executable. This is a problem we hope to resolve in a future release.

Pierre
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.