HPE Community
Operating System - HP-UX
1833150 Members
3317 Online
110051 Solutions
New Discussion

Tracking changes to the OS

 
SOLVED
Go to solution
Evans Kelley
Occasional Advisor

‎09-19-2002 08:51 AM

‎09-19-2002 08:51 AM

Tracking changes to the OS

Hello all,

We are running HP-UX 10.20/11.00 and would like to know if there is a way to monitor or log when changes are made to the system OS. One example is say like; a script that checks and sees if there are any changes to file, permissions and directories sizes. If so a message (email) is sent out saying no ignite needed. Another Example; if someone logins in and changes permissions to a file or directory (that they have access to) is there a way that we as admin can quickly tell who and what was changed?

Thanks in advance,
Evans
0 Kudos
Reply
11 REPLIES 11
Pete Randall
Outstanding Contributor

‎09-19-2002 08:55 AM

‎09-19-2002 08:55 AM

Re: Tracking changes to the OS

You need to look into check_recovery, I think.

man check_recovery


Pete

Pete
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎09-19-2002 09:08 AM

‎09-19-2002 09:08 AM

Re: Tracking changes to the OS

HP has a product called IDS/9000, which does what ou want. There are also some freeware products like "Bigbrother" , SNORT, and more.

The HP tools are nicest of course as they plug into the OS flawlessly, and have lots of flexibility.

I have found most freeware products to be just as flexible, if not more, but much more difficult to configure.

regards,
Shannon

ps. search on the internet for "unix intrusion detection" for more tools
Microsoft. When do you want a virus today?
0 Kudos
Reply
Anil C. Sedha
Trusted Contributor

‎09-19-2002 09:11 AM

‎09-19-2002 09:11 AM

Re: Tracking changes to the OS

Evans,

For your first point, i agree with pete that you run check_recovery as it will compare your system with the status of the last make_recovery command.

Also for your second question, i would suggest you to create a script that would search the /var/adm/syslog/syslog.log file to find messages based on "chown", "chmod", "rm" etc, whatever you are looking for. You can take the output to another file and find if there was any critical work done.

If you like the answers, don't forget to assign points.

Regards,
Anil
If you need to learn, now is the best opportunity
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎09-19-2002 09:18 AM

‎09-19-2002 09:18 AM

Re: Tracking changes to the OS

Hi Evans:

As I recall, it was rumored (announced?) that it is quite probable that the 'check_recovery' function in Ignite will be obsolesced.

Regards!

...JRF...
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎09-19-2002 09:25 AM

‎09-19-2002 09:25 AM

Re: Tracking changes to the OS

Hi Evans,

HP has a support product for their BCS & CSS support level customers called HAO - High Availability Observatory - which can track changes in the OS & report to either HP, the customer or both.

Note: HAO will be migrated to ISEE Advanced - Instant Support Enterprise Edition - in 2003.

But if you have that level of support it's worth looking at as it's a free product/service.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Evans Kelley
Occasional Advisor

‎09-19-2002 12:14 PM

‎09-19-2002 12:14 PM

Re: Tracking changes to the OS

All,

Thanks again everyone for you quick reply???s. After discussing this with my boss in which he could swear that there is a make_recovery (ignite) type of command which is what we are looking for, (monitor or logging of changes to all file system on /). Anyone heard of this and if they have what the commands do.
Thanks again for the above responses.
Evans
0 Kudos
Reply
Rodney Hills
Honored Contributor

‎09-19-2002 12:18 PM

‎09-19-2002 12:18 PM

Solution

Re: Tracking changes to the OS

Monitoring of changes to files in a real time mode requires you configure your system as a "trusted system".

A "trusted system" has other implications that you should consider (like not able to use NIS/LDAP). Information in /etc/passwd moved to other locations.

HTH

-- Rod Hills
There be dragons...
Reply
James R. Ferguson
Acclaimed Contributor

‎09-19-2002 12:49 PM

‎09-19-2002 12:49 PM

Re: Tracking changes to the OS

Hi Evans:

Another product you might look at is 'tripwire':

"Tripwire for Servers automatically verifies data and file integrity against a known good source file in the Tripwire database and quickly notifies you of changes."

http://www.tripwire.com/products/servers/

Regards!

...JRF...
Reply
Shannon Petry
Honored Contributor

‎09-19-2002 12:54 PM

‎09-19-2002 12:54 PM

Re: Tracking changes to the OS

Well, if it's for intrusion detection I would not recommend the make_recovery. It is very easy for a hacker to omit his entries from syslog, and try to hide his tracks. It is also easy for coders to fill binaries with nuthing to get them the same size as the original before yours are spoofed. a simple touch newbinary and make recovery does not know..

Intrusion detection may be overkill, but if your worried about it make_recovery is not even close to the product you need. It does not email/page you if things change, and while you could script it, some files are meant to be changed, so you will be plagued with false alarms till you make an omit list.

Regards,
Shannon
Microsoft. When do you want a virus today?
Reply
Jeff Schussele
Honored Contributor

‎09-19-2002 01:02 PM

‎09-19-2002 01:02 PM

Re: Tracking changes to the OS

Hi (again) Evans,

The check_recovery command IS a part of the Ignite make_recovery process.

If you use the -C option of make_recovery it will make a sort of DB of the Core OS file in /var/opt/ignite/recovery/makrec.last file.
Note this file must exist before the make_recovery is run.
You can also specify "other" files in a /var/opt/ignite/recovery/makrec.append file if you want to include any non-core OS files

BUT NOTE that this functionality is going to be phased out down the road & I'm not sure if this functionality is even included in the newer make_tape_recovery command.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Evans Kelley
Occasional Advisor

‎09-19-2002 01:43 PM

‎09-19-2002 01:43 PM

Re: Tracking changes to the OS

Thanks again everyone for your input and suggestions.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.