HPE Community
Operating System - HP-UX
1827593 Members
2657 Online
109965 Solutions
New Discussion

Monitoring of the deletion of the files/directories on HP-UX

 
SOLVED
Go to solution
M. Ismail
Advisor

‎04-07-2004 04:31 PM

‎04-07-2004 04:31 PM

Monitoring of the deletion of the files/directories on HP-UX

Hi *,

Is there any technique apart from 'auditing' to monitor the deletion of the files/directories on HP-UX

To enable 'auditing' we need to turn the system to trusted system, which is not possible on our servers due to some application related issues.

Regds,
Ismail.
No problem can stand the assault of sustained thinking.
0 Kudos
Reply
9 REPLIES 9
SureshKumar_2
Valued Contributor

‎04-07-2004 05:16 PM

‎04-07-2004 05:16 PM

Solution

Re: Monitoring of the deletion of the files/directories on HP-UX

Hi Ismail

Move the
rm -> r (#mv /usr/bin/rm /usr/bin/r)
rmdir -> rd (#mv /usr/bin/rmdir /usr/bin/rd)

Create an log file for r, and rd
#mkdir /var/rmlog
#> /var/rmlog/rlog
#> /var/rmlog/rdlog

Follow the script rm, to call r, and also make a logging facility. the outline

#vi /usr/bin/rm
-------
whoami >> /var/rmlog/rlog
date >> /var/rmlog/rlog
echo "-----------" >> /var/rmlog/rlog
echo attempt to rm $1 >> /var/rmlog/rlog
echo "-----------" >> /var/rmlog/rlog
/usr/bin/r $1
echo "-----------" >> /var/rmlog/rlog

Similarly u can make for rmdir, and implement it.

I had implemented 1 yr ago, like this.

Hope this will meet ur requirement.

suresh
Things are very easy, when u know about it...
Reply
KapilRaj
Honored Contributor

‎04-07-2004 05:29 PM

‎04-07-2004 05:29 PM

Re: Monitoring of the deletion of the files/directories on HP-UX

Though mv'ing a system executable is not a good idea, I would amend suresh with rm $* instead of rm $1. rm command can take multiple arguments.

Regds,

Kaps
Nothing is impossible
Reply
M. Ismail
Advisor

‎04-07-2004 06:05 PM

‎04-07-2004 06:05 PM

Re: Monitoring of the deletion of the files/directories on HP-UX

Hi Suresh,

That's an excellent idea.That's really genius.
"No problem can stand the assault of sustained thinking."

Dear Kapil,

Also thanks for your efforts.

Regds,
Ismail.
No problem can stand the assault of sustained thinking.
0 Kudos
Reply
Scott J. Showalter
Frequent Advisor

‎04-22-2004 06:55 AM

‎04-22-2004 06:55 AM

Re: Monitoring of the deletion of the files/directories on HP-UX

As Kapil mentioned, moving a system executable could cause problems. One I can think of, is when you patch the system, it might replace your script with a new version of the executable.

Just food for thought.
In a world without fences, who needs Gates?
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-22-2004 07:04 AM

‎04-22-2004 07:04 AM

Re: Monitoring of the deletion of the files/directories on HP-UX

Making wrappers or aliases for rm and rmdir only appear to offer any real auditing. You completely miss the same actions when done by applications using system calls and through scripting languages like Perl or even via ftp. It would be trivially easy to mask removes with only this level of protection in place.
If it ain't broke, I can fix that.
Reply
Juergen Tappe
Valued Contributor

‎04-22-2004 07:07 AM

‎04-22-2004 07:07 AM

Re: Monitoring of the deletion of the files/directories on HP-UX

Better than to replace the system files I would recommend to modify /etc/PATH
put at 1. place a directory containing all locals i.e. /usr/mycompany/bin.
Create a script called rm into /usr/mycompany/bin containing s.th similar to :

#!/usr/bin/ksh
LOG=
{
echo "$(id) $(date) $(pwd)"
echo "$*"
} >> $LOG
/usr/bin/rm $*
Working together
0 Kudos
Reply
Nicolas Dumeige
Esteemed Contributor

‎04-22-2004 09:50 AM

‎04-22-2004 09:50 AM

Re: Monitoring of the deletion of the files/directories on HP-UX

Hello,

Using mv takes time if the files are moved across FS.

Juergen script has not this problem as it just logs the deletion.

My 2 cents

Nicolas
All different, all Unix
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

‎04-26-2004 08:13 AM

‎04-26-2004 08:13 AM

Re: Monitoring of the deletion of the files/directories on HP-UX

Ismail -

Have you considered using HP-UX Host Intrusion Detection System (HIDS) which can monitor for file/directory deletions, in addition to creation and modification of files/directories (and other detection capabilities)? It uses a kernel auditing component to monitor all deletions of files via system calls, which avoids the pitfalls of the approaches presented by others which can be easily circumvented. You can run HIDS in standard (non-trusted) mode.

It is available on software.hp.com (product J5083AA). Our next release will contain significant performance improvements. However, the current version might suffice for you depending on your system profile and HIDS configuration.

Pierre
Reply
M. Ismail
Advisor

‎05-05-2004 06:52 PM

‎05-05-2004 06:52 PM

Re: Monitoring of the deletion of the files/directories on HP-UX

Hi Pierre,

Sorry for the late reply!

Thanks for the solution!

Your solution is perfect, it guarantees the security of the system without adulterating the nativity of HP-UX.

Following is the extract from the IDS release notes:
{
â ¢ As IDS/9000 continuously examines ongoing activity on a system, it seeks out
patterns that might suggest security breaches or misuses. The types of threats which
IDS/9000 counters include the following:
System Critical Unauthorized access
Privilege violations
Trojan horse
â Rootâ exploits
HP-UX OS Race condition
Buffer overflow
Password guessing
User security Failed logins
Failed SU attempts
User A modifying User Bâ s file
Files Modification of critical system files and directories
Creation of world writable files
Creating setuid files
File additions and deletions
}

Regds,
Ismail.
"No problem can stand the assault of sustain
No problem can stand the assault of sustained thinking.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.