Sorry for the delay; I was at Defcon and didn't dare log in to reply. > How are the users connecting; ssh or telnet ? AFAIK on HP-UX SSH logins are > recorded to syslog as PAM events. They typically connect via various remote programs; however, there's one particular application that requires a local root login, and we need to be able to monitor that. We also want to have a record of other local logins for policy enforcement.
>What about tmp files? Run last and spit it out to /tmp/lastlog or something.. > Then have ossec monitor that file. Any changes should pop out with >check_diff. I've been playing with a way to do that via shell scripting. It's really awkward and unreliable, though. The file gets huge fast, meaning we're sucking up an inordinate amount of bandwidth, plus you stop being able to see the changes after a while because the length of the file exceeds the character limit for that field in MySQL. I also played with a variation where I keep two files, one with the previous run of last and one with a current run, and use the Unix diff command to see the difference. This is slightly less awkward, but I still can't get it to run smoothly since diff's own lines in the output can trigger OSSEC's check_diff. >Or, if you can't do it locally on the hp-ux server, write a script on the >ossec manager that logs into the hp-ux machine, runs last, and stores that >locally on the ossec manager. Then just monitor that log. Our manager isn't allowed to talk to our agents or their hosts (we're the reason OSSEC now has the one-way agent feature...). If we could, it'd be a huge help. Thanks! -Alisha On Aug 4, 2:52 am, "--[ UxBoD ]--" <[email protected]> wrote: > How are the users connecting; ssh or telnet ? AFAIK onHP-UXSSH logins are > recorded to syslog as PAM events. > -- > Thanks, Phil > > > > > > > > ----- Original Message ----- > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > On Aug 1, 2011, at 6:55 PM, Alisha Kloc wrote: > > > Unfortunately, we can't make any changes to theHP-UXsystem, which > > > means no cron jobs, no clearing logs, etc. All we're allowed to > > > touch > > > is OSSEC agent stuff. Within that, I have some flexibility if I use > > > the process monitor to call a simple shell script, which allows > > > consecutive commands like you suggested, but anything beyond that > > > isn't allowed. > > > > Sounds like this might not be possible... > > > What about tmp files? Run last and spit it out to /tmp/lastlog or > > something.. Then have ossec monitor that file. Any changes should > > pop out with check_diff. > > > Or, if you can't do it locally on thehp-uxserver, write a script on > > the ossec manager that logs into thehp-uxmachine, runs last, and > > stores that locally on the ossec manager. Then just monitor that > > log. > > > > -Alisha > > > - --------------------------- > > Jason 'XenoPhage' Frisvold > > [email protected] > > - --------------------------- > > "Any sufficiently advanced magic is indistinguishable from > > technology." > > - - Niven's Inverse of Clarke's Third Law > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG/MacGPG2 v2.0.16 (Darwin) > > > iEYEARECAAYFAk459bwACgkQ8CjzPZyTUTTMMwCcCNjQ3cL0lL+G/byMwIvRj6hE > > h3gAniADRO6Fd1JVWJGmJoSPi8Vs7Xw+ > > =JCh9 > > -----END PGP SIGNATURE-----
