HPE Community
Operating System - HP-UX
1844889 Members
1732 Online
110233 Solutions
New Discussion

Re: security script

 
SOLVED
Go to solution
Paula J Frazer-Campbell
Honored Contributor

‎10-27-2000 03:26 AM

‎10-27-2000 03:26 AM

security script

Hi to all.

I am looking at writing a script that will on being run FTP copies of system log files to another server. So that in the event of a security problem I can concentrate on fixing and bring the attacked sever back on line and then later do an offline investigation.

Well guys/gals what are your thoughts on this?

Is it feasible to set up a list of all the files that may show an intruders footsteps?

And if so which file do you include - some are very obvious (wtmp,btmp,syslog etc)but what are the less obvious?

Awaiting your ideas-
Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
10 REPLIES 10
CHRIS_ANORUO
Honored Contributor

‎10-27-2000 04:06 AM

‎10-27-2000 04:06 AM

Solution

Re: security script

You can use /var/adm.inetd.sec to restrict access to your system. It provides additional security.
Also check /var/adm/sulog.
When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.
Reply
Ossie de Jongh
Advisor

‎10-27-2000 04:40 AM

‎10-27-2000 04:40 AM

Re: security script

Hi Paula,
Your problem will be as follows:
If someone gets into the system, he/she will always try to wipe their prints. So depending on what level of access they get to you system will basically determine how well they can wipe their prints. Most damaging obviously being root.

Besides they few obvious ones like wtmp,btmp,etc you should consider copieng some of these files as well:
passwd
shell history commands
acct files
crontab - yes nice way to reinstate access
syslog
maillog
nettlogs

This list might vary a lot depending on the setup of your system
Like: is accounting enabled?
are you running a secure system ?
etc

Hope you find some info to be usefull.
Reply
Paula J Frazer-Campbell
Honored Contributor

‎10-27-2000 07:01 AM

‎10-27-2000 07:01 AM

Re: security script

Hi and thanks to Chris and Ossie so far.
- points will be awarded.

The list so far is:-

1. wtmp
2. btmp
3. utmp
4. utmpx
5. syslog.log
6. passwd
7. groups
8. shell history
9. mail.log
10. netlogs
11. sulog
12. inetd.sec
13. crontab

Now the list is mainly log files, how about.

ll ?R |grep ?ATTACK_DATE? >attacked

and this file included in the routine?

If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Rick Garland
Honored Contributor

‎10-27-2000 07:18 AM

‎10-27-2000 07:18 AM

Re: security script

There is a SW app called Tripwire that will keep tabs on what has been modified. You can configure the files it is to watch and it can tell you if changes have occurred.

Can be obtained from the COAST security site.
Reply
Paula J Frazer-Campbell
Honored Contributor

‎10-31-2000 12:54 AM

‎10-31-2000 12:54 AM

Re: security script

Thanks Chris Ossie and Nick,

Points have been awarded.

Best wishes
Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Paulo Afonso Bruno
Occasional Advisor

‎10-31-2000 09:51 AM

‎10-31-2000 09:51 AM

Re: security script

Rick

do you know what is internet address this sw ( SW Tripwire ) ?

thank?s
Paulo
0 Kudos
Reply
Paulo Afonso Bruno
Occasional Advisor

‎10-31-2000 09:51 AM

‎10-31-2000 09:51 AM

Re: security script

Rick

do you know what is internet address this sw ( SW Tripwire ) ?

thank?s
Paulo
0 Kudos
Reply
Paulo Afonso Bruno
Occasional Advisor

‎10-31-2000 09:52 AM

‎10-31-2000 09:52 AM

Re: security script

Rick

do you know what is internet address this sw ( SW Tripwire ) ?

thank?s
Paulo
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎10-31-2000 09:55 AM

‎10-31-2000 09:55 AM

Re: security script

Hi
Address for tripwire is
http://www.tripwiresecurity.com/products/

If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Paulo Afonso Bruno
Occasional Advisor

‎10-31-2000 10:07 AM

‎10-31-2000 10:07 AM

Re: security script

Thanks Paula
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.