Hi Michael, Hmm, sounds a lot like what we're trying to do. How did you get around the fact that "last" spits out all entries in wtmp, not just newly- added ones?
That's our biggest sticking point; wtmp gets very long very quickly and we don't need old entries, just new ones since the last check. Sadly, we don't have an option to fix the issue on the HP-UX side... it would certainly make things easier if we did. Thanks! -Alisha On Aug 1, 12:20 pm, Michael Starks <[email protected]> wrote: > On Mon, 1 Aug 2011 10:43:43 -0700 (PDT), Alisha Kloc wrote: > > Hi again list, > > > My team is trying to find a way to monitor logins, logouts, and > > failed > > logins on HP-UX using OSSEC. Problem is, HP-UX only records these in > > the binary wtmp and btmp files. > > > We've experimented with a few different methods that involve the > > process monitor, but they're all network-intensive, difficult for an > > analyst to understand, and/or unreliable. > > > We've tried using check_diff to monitor the output of last; using the > > Unix diff command to compare previous and new outputs from last; and > > generating diff output into the regular syslog. None of these has > > worked well enough to deploy in the field. > > > Has anyone ever tried something similar? Is there any way to > > configure > > OSSEC to use the HP-UX shell to alert on logins? > > Hello Alisha, > > I remember having this issue many, many moons ago. I haven't used HP-UX > in years so my memory is a bit fuzzy. If I recall correctly, I *think* > we ran the commands in cron and output that to a file, then had OSSEC > monitor the file. It was either that or we sent it to syslog, which then > went to the syslog server, which was then monitored by OSSEC. it is less > than ideal because the composite rules really don't work well when logs > are sent in batches like that. > > Also, consider the entry points into the system. If you can only SSH to > it, for example, perhaps it will be good enough to collect SSH logs. But > then you wouldn't necessarily get console logins... > > By now, perhaps HPUX has a better solution. I recall using something > like a "Skunkware" repo or something like that. Is that still around? > > -- > Michael Starks > [I] Immutable Securityhttp://www.immutablesecurity.com
