On Mon, 1 Aug 2011 10:43:43 -0700 (PDT), Alisha Kloc wrote:
Hi again list,
My team is trying to find a way to monitor logins, logouts, and
failed
logins on HP-UX using OSSEC. Problem is, HP-UX only records these in
the binary wtmp and btmp files.
We've experimented with a few different methods that involve the
process monitor, but they're all network-intensive, difficult for an
analyst to understand, and/or unreliable.
We've tried using check_diff to monitor the output of last; using the
Unix diff command to compare previous and new outputs from last; and
generating diff output into the regular syslog. None of these has
worked well enough to deploy in the field.
Has anyone ever tried something similar? Is there any way to
configure
OSSEC to use the HP-UX shell to alert on logins?
Hello Alisha,
I remember having this issue many, many moons ago. I haven't used HP-UX
in years so my memory is a bit fuzzy. If I recall correctly, I *think*
we ran the commands in cron and output that to a file, then had OSSEC
monitor the file. It was either that or we sent it to syslog, which then
went to the syslog server, which was then monitored by OSSEC. it is less
than ideal because the composite rules really don't work well when logs
are sent in batches like that.
Also, consider the entry points into the system. If you can only SSH to
it, for example, perhaps it will be good enough to collect SSH logs. But
then you wouldn't necessarily get console logins...
By now, perhaps HPUX has a better solution. I recall using something
like a "Skunkware" repo or something like that. Is that still around?
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
