HPE Community
Operating System - HP-UX
1827318 Members
5755 Online
109961 Solutions
New Discussion

Re: Monitoring of system critical files

 
SOLVED
Go to solution
ShivKumar_1
Frequent Advisor

‎04-24-2001 07:10 AM

‎04-24-2001 07:10 AM

Monitoring of system critical files

Hi Experts
I have a question for you regarding the monitoring of critical or system application files locates in the following directories like

/usr/bin
/etc

My aim is to monitor the files located under these directories and look if any one of the users have changed any of the files. If so list the files and the user name. I know about the 3rd party software tool called TRIPWARE or COPS to monitor it, but my client wants it to be done through a shell script.
I had a idea to do a long listing and then look for the time stamps on the files. Any ideas or suggestions

Thnks in advance
Shiv
0 Kudos
Reply
11 REPLIES 11
Barry O Flanagan
Respected Contributor

‎04-24-2001 07:18 AM

‎04-24-2001 07:18 AM

Re: Monitoring of system critical files

Heres my 2 cents:

Doing a check on the timestamps won't be enough because they can always be changed with touch. The best way to do it, that I can think of, would be to calculate some sort of checksum based on the files in the directory at a certain point in time. I guess the checksum could be based on some sort of combination of all the file sizes in that directory or something like that (thats how a couple of virus scanners work). But thats a pretty simplistic view of checksums.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-24-2001 07:27 AM

‎04-24-2001 07:27 AM

Re: Monitoring of system critical files

I have the kernel of a really whacky way to do this plus be able to determine what was actually changed. Using OnlineJFS make snapof mounts of the filesystems in question then
compare the files in question with cksum or sum
to determine if any chamges have occured. You can then look at the changed files with diff or
other tools if it is a binary file. You would have to periodically umount the snapshots and mount again to prevent the snapshot buffers from filling up.
My 2 cents...
If it ain't broke, I can fix that.
0 Kudos
Reply
ShivKumar_1
Frequent Advisor

‎04-24-2001 08:55 AM

‎04-24-2001 08:55 AM

Re: Monitoring of system critical files

Hi
Thnks for your response can you plz tell me the syntax of a checksum with respect to a file?

Thnks in advance
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-24-2001 09:08 AM

‎04-24-2001 09:08 AM

Re: Monitoring of system critical files

sum is considered obsolete so I will just give you the syntax for cksum.
Simply cksum file1 [file2 file3 ...]
man cksum for more details.
If it ain't broke, I can fix that.
0 Kudos
Reply
ShivKumar_1
Frequent Advisor

‎04-24-2001 09:26 AM

‎04-24-2001 09:26 AM

Re: Monitoring of system critical files

Thnks for the response, now say I have a user called "TERRY" with login name "trry" he goes and does a vi to the /etc/passwd or modifies some files in the /usr/sbin or /usr/bin directory will I as ROOT be able to see who has done it , will viewing users history file work?


Thnks
Shiv


0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-24-2001 09:38 AM

‎04-24-2001 09:38 AM

Re: Monitoring of system critical files

Viewing the .history files will only work if TERRY is not very smart. He can always modify the .history files. You should now begin to see why this is a very tricky project.
If it ain't broke, I can fix that.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎04-24-2001 09:38 AM

‎04-24-2001 09:38 AM

Re: Monitoring of system critical files

Other than looking at a users history file, you can't necessarily tell who modifies a file. System files can only be modified by root by default.

To monitor things like this, you should look into RCS (Revision Control System). This allows you to set up certain files so that they have to be checked out before they are modified and then checked back in after they are modified. RCS is available from the HP-UX porting center and doesn't cost anything. http://hpux.cs.utah.edu/hppd/hpux/Users/rcs-5.7/

There is also a WebRCS available so that you can do stuff via a web browser. I'll see if I can find the link for it.
0 Kudos
Reply
f. halili
Trusted Contributor

‎04-24-2001 10:00 AM

‎04-24-2001 10:00 AM

Solution

Re: Monitoring of system critical files

by default your users should not have write access to your system files. if you need tom monitor some files that have write permission to some users you may use cksum.
ex:

$ cksum file | cut -f1 -d" "
4294967295

You may take note of this value and if this changes you may use sendmail to give you an email to notify you.

-fnhalili
derekh
Reply
Patrick Wallek
Honored Contributor

‎04-24-2001 10:20 AM

‎04-24-2001 10:20 AM

Re: Monitoring of system critical files

I haven't been able to find the link to Web/RCS that I was looking for. There is an article about integrating it with Oracle at the Sys Admin Magazine web site. It may not be exactly what you want, but it may help.
http://www.sysadminmag.com/articles/2000/0002/0002a/0002a.htm

The original Web/RCS areticle was published in the Dec. 1998 edition of Sys Admin, but that edition is not completely online. If you want to download the source code, go to this link http://www.sysadminmag.com/code/ and then look for the 1998 table and click on December. It will download a tar.gz file that should have the source code.

Here are another couple of links to RCS and another RCS-like product called CVS.

http://www.gnu.org/directory/rcs.html

http://www.gnu.org/directory/cvs.html
0 Kudos
Reply
ALEX FLEMINGTON
New Member

‎09-26-2001 06:29 AM

‎09-26-2001 06:29 AM

Re: Monitoring of system critical files

The use of check sums is inadequate in terms of security checking system critical files.
Checksums can be altered.
To check for file changes cryptography algorithms are required. RSA jointly developed md5 cryptography routine to produce a unique 129bit fingerprint of a file which todate has not been cracked. md5 can be downloaded from Sun and a number of other sites.
It would be nice if HP could develop a security product to check the system critical files. Tools are out there such as Tivoli Policy Director and Symantec ESM however they are expensive.
take the day off and go paragliding
0 Kudos
Reply
Bernie Vande Griend
Respected Contributor

‎09-26-2001 07:03 AM

‎09-26-2001 07:03 AM

Re: Monitoring of system critical files

Actually HP does: HP Praesidium IDS (intrusion detection system)
I have not messed around with this enough, but I know it does have checksum checking ability and it is free with HP-UX 11i. (not sure about the other versions) I'd take a look at that if you can. We are installing it on our 11i systems by default but haven't used it much yet.
Ye who thinks he has a lot to say, probably shouldn't.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.