HPE Community
Operating System - HP-UX
1834936 Members
2305 Online
110071 Solutions
New Discussion

IDS agent - does not email

 
SOLVED
Go to solution
Krishnan Viswanathan
Frequent Advisor

‎03-13-2002 07:03 PM

‎03-13-2002 07:03 PM

IDS agent - does not email

I have gotten certain shell scripts in the /opt/ids/reponse directory. None of them are executed by the agent! I have restarted the agent,admin console and also the scheduler. But I cant get the email alerts although the alerts are being sent to IDS admin

Any inputs ?

Thanks much
Krishnan
0 Kudos
Reply
7 REPLIES 7
harry d brown jr
Honored Contributor

‎03-13-2002 07:49 PM

‎03-13-2002 07:49 PM

Re: IDS agent - does not email


Krishnan,

Can you execute these scripts manually in the /opt/ids/reponse directory, and do they work as expected? In other words, do the shell scripts work, and are the permissions correct? Remember to check the Owner and Group ID's, because if IDS agent is not root, then it must belong to the group, or be the owner.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Krishnan Viswanathan
Frequent Advisor

‎03-13-2002 08:58 PM

‎03-13-2002 08:58 PM

Re: IDS agent - does not email

The permission on the script is ids:ids and is executable.
The agent runs as ids.

As regards the script, I am first testing with the sample script given in the IDS9000 manual. All it does is it checks if the alert severity is 1 and then it should email to the list. But I am not sure where or how the script gets the $1,$2,..arguments from(within the IDS)

Thanks
Krishnan
0 Kudos
Reply
Rainer von Bongartz
Honored Contributor

‎03-13-2002 11:19 PM

‎03-13-2002 11:19 PM

Re: IDS agent - does not email

Krishnan,

here is a small c program that will do the work (mail to root if severity =1)

compile it with cc ids_alertResponse.c -o ids_alertRespnse.o

and copy it to /opt/ids/resonse
and give it the followinf permissions:

-r-x------ 1 ids ids 16384 Feb 22 21:20 ids_alertResponse

Regards
Rainer


He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Reply
Krishnan Viswanathan
Frequent Advisor

‎03-14-2002 08:26 PM

‎03-14-2002 08:26 PM

Re: IDS agent - does not email

I have another question :

I have some users who login using their client interface etc. These logins are never reported in IDS ( These users dont have shell access though). Does IDS capture these login data ?
There is a regular entry in the passwd files for these users except that they have shell access turned as false.

Also I was "ssh"inf into my server and IDS never reported my login. Whys is this so ?

On the regular OS level, are these logins captured ? (/etc/btmp file ?)

Thanks
Krishnan
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎03-15-2002 01:07 AM

‎03-15-2002 01:07 AM

Re: IDS agent - does not email

Hi,

For SSH (at least for SSH Communications SSH2), it reports to syslog. Thus you should see both unsuccessful and successful SSH logins in /var/syslog/syslog.log.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎03-15-2002 01:08 AM

‎03-15-2002 01:08 AM

Re: IDS agent - does not email

Hi,

For SSH (at least for SSH Communications SSH2), it reports to syslog. Thus you should see both unsuccessful and successful SSH logins in /var/adm/syslog/syslog.log.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Steve Bonds
Trusted Contributor

‎03-15-2002 08:00 AM

‎03-15-2002 08:00 AM

Solution

Re: IDS agent - does not email

SSH does not use the login() function unless specifically configured to do so. This means that many security features called from login() are either bypassed or prevent login.

Enabling login() breaks X11 forwarding, which is why it is not the default. login() will never be used if the user specifies a command to run, so don't rely on this setting for security. See the sshd(8) man page for more information.

SSH is usually configured to use the AUTH facility in syslog which can be sent to a file with more restrictive permissions than the normal system log. (Since on high logging levels the ssh logs can contain sensitive login data.)

The HP-UX default is to send AUTH to the same log as everything else.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.