On Mon, 1 Aug 2011 12:54:24 -0700 (PDT), Alisha Kloc wrote:
Hi Michael,
Hmm, sounds a lot like what we're trying to do. How did you get
around
the fact that "last" spits out all entries in wtmp, not just newly-
added ones?
We probably didn't solve that in any elegant way. There was nothing
like check_diff available in OSSEC at the time.
That's our biggest sticking point; wtmp gets very long very quickly
and we don't need old entries, just new ones since the last check.
Sadly, we don't have an option to fix the issue on the HP-UX side...
it would certainly make things easier if we did.
Hmmm, well if the problem is that the last command results in too much
output for check_diff to handle, then you may have to address this on
the HP-UX side. This seems like it would be a frequent audit concern for
HP-UX systems. I can't imagine they haven't addressed this in some way
natively yet. I don't know HP-UX well at all. Can you run another
command consecutively (like command1 && command2) where the second
command clears the btmp database? That way you would only get new output
to OSSEC.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
