On Aug 1, 1:35 pm, Michael Starks <[email protected]> wrote: > > We probably didn't solve that in any elegant way. There was nothing > like check_diff available in OSSEC at the time.
Huh. The reason it's a problem for us is because if we just spit last to a syslog, we get new alerts on old logins (if user1 has logged in any time since wtmp was cleared, we'll alert on that one login every time we re-read wtmp). Did you just clear wtmp every time you sent it to the text file? > > Hmmm, well if the problem is that the last command results in too much > output for check_diff to handle, then you may have to address this on > the HP-UX side. This seems like it would be a frequent audit concern for > HP-UX systems. I can't imagine they haven't addressed this in some way > natively yet. I don't know HP-UX well at all. Can you run another > command consecutively (like command1 && command2) where the second > command clears the btmp database? That way you would only get new output > to OSSEC. Unfortunately, we can't make any changes to the HP-UX system, which means no cron jobs, no clearing logs, etc. All we're allowed to touch is OSSEC agent stuff. Within that, I have some flexibility if I use the process monitor to call a simple shell script, which allows consecutive commands like you suggested, but anything beyond that isn't allowed. Sounds like this might not be possible... -Alisha
