Re: Tracking changes to the OS

Evans Kelley · ‎09-19-2002

Hello all,

We are running HP-UX 10.20/11.00 and would like to know if there is a way to monitor or log when changes are made to the system OS. One example is say like; a script that checks and sees if there are any changes to file, permissions and directories sizes. If so a message (email) is sent out saying no ignite needed. Another Example; if someone logins in and changes permissions to a file or directory (that they have access to) is there a way that we as admin can quickly tell who and what was changed?

Thanks in advance,
Evans

Pete Randall · ‎09-19-2002

You need to look into check_recovery, I think.

man check_recovery

Pete

Pete

Shannon Petry · ‎09-19-2002

HP has a product called IDS/9000, which does what ou want. There are also some freeware products like "Bigbrother" , SNORT, and more.

The HP tools are nicest of course as they plug into the OS flawlessly, and have lots of flexibility.

I have found most freeware products to be just as flexible, if not more, but much more difficult to configure.

regards,
Shannon

ps. search on the internet for "unix intrusion detection" for more tools

Microsoft. When do you want a virus today?

Anil C. Sedha · ‎09-19-2002

Evans,

For your first point, i agree with pete that you run check_recovery as it will compare your system with the status of the last make_recovery command.

Also for your second question, i would suggest you to create a script that would search the /var/adm/syslog/syslog.log file to find messages based on "chown", "chmod", "rm" etc, whatever you are looking for. You can take the output to another file and find if there was any critical work done.

If you like the answers, don't forget to assign points.

Regards,
Anil

If you need to learn, now is the best opportunity

James R. Ferguson · ‎09-19-2002

Hi Evans:

As I recall, it was rumored (announced?) that it is quite probable that the 'check_recovery' function in Ignite will be obsolesced.

Regards!

...JRF...

Jeff Schussele · ‎09-19-2002

Hi Evans,

HP has a support product for their BCS & CSS support level customers called HAO - High Availability Observatory - which can track changes in the OS & report to either HP, the customer or both.

Note: HAO will be migrated to ISEE Advanced - Instant Support Enterprise Edition - in 2003.

But if you have that level of support it's worth looking at as it's a free product/service.

Rgds,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Evans Kelley · ‎09-19-2002

All,

Thanks again everyone for you quick reply???s. After discussing this with my boss in which he could swear that there is a make_recovery (ignite) type of command which is what we are looking for, (monitor or logging of changes to all file system on /). Anyone heard of this and if they have what the commands do.
Thanks again for the above responses.
Evans

Rodney Hills · ‎09-19-2002

Monitoring of changes to files in a real time mode requires you configure your system as a "trusted system".

A "trusted system" has other implications that you should consider (like not able to use NIS/LDAP). Information in /etc/passwd moved to other locations.

HTH

-- Rod Hills

There be dragons...

James R. Ferguson · ‎09-19-2002

Hi Evans:

Another product you might look at is 'tripwire':

"Tripwire for Servers automatically verifies data and file integrity against a known good source file in the Tripwire database and quickly notifies you of changes."

http://www.tripwire.com/products/servers/

Regards!

...JRF...

Shannon Petry · ‎09-19-2002

Well, if it's for intrusion detection I would not recommend the make_recovery. It is very easy for a hacker to omit his entries from syslog, and try to hide his tracks. It is also easy for coders to fill binaries with nuthing to get them the same size as the original before yours are spoofed. a simple touch newbinary and make recovery does not know..

Intrusion detection may be overkill, but if your worried about it make_recovery is not even close to the product you need. It does not email/page you if things change, and while you could script it, some files are meant to be changed, so you will be plagued with false alarms till you make an omit list.

Regards,
Shannon

Microsoft. When do you want a virus today?

Jeff Schussele · ‎09-19-2002

Hi (again) Evans,

The check_recovery command IS a part of the Ignite make_recovery process.

If you use the -C option of make_recovery it will make a sort of DB of the Core OS file in /var/opt/ignite/recovery/makrec.last file.
Note this file must exist before the make_recovery is run.
You can also specify "other" files in a /var/opt/ignite/recovery/makrec.append file if you want to include any non-core OS files

BUT NOTE that this functionality is going to be phased out down the road & I'm not sure if this functionality is even included in the newer make_tape_recovery command.

Rgds,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Evans Kelley · ‎09-19-2002

Thanks again everyone for your input and suggestions.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Tracking changes to the OS

Tracking changes to the OS