Administrator's Guide
Schedule Manager Screen
Configuring Detection Templates
Chapter 5
74
Some Template Configuration Guidelines
• The “Race Condition Template” on page 141 imposes the highest overhead in terms
of the load it places on correlator process. We recommend that you not include this
template in your initial schedule.
NOTE The race condition template checks, among other things, for the execution of setuid
scripts, which are vulnerable to a race condition attack. In HP-UX 11i version 1.6
and later, the execution of setuid scripts is prevented by default by the
secure_sid_scripts tunable kernel parameter. See the secure_sid_scripts (5)
manpage for details.
• The template “Modification of Files/Directories Template” on page 146 provides for
real-time file-change detection. Any modification made to any files or directories
within the directory tree specified in the template will be detected and reported.
However, the template can generate many alerts which are not security relevant.
The “Files Modified by Program List/Program List” properties can be used to ignore
changes to certain files when they are performed by a known program. The “Ignore”
properties can be used to ignore directories and files where changes to files are not
considered security risks.
• The template “Modification of Another User’s File Template” on page 163 will
generate many alerts if not tuned well. We recommend that you use the template
“Modification of Files/Directories Template” on page 146 in its place.
• When tuning a template, consider what the areas of greatest risk are if the system is
penetrated. Obviously, replacing a program in /bin, /sbin or the kernel in /stand is
a serious threat. But so is modifying files under /etc or /opt. You may have
additional site-specific directories you are concerned about.
• What areas can you ignore, or are you willing to tolerate a threat in? For example,
many files change under /var/adm, and ignoring that directory is usually safe. But if
a symbolic link attack is launched from /var/adm, you will miss it. This is a trade-off
decision.
• The templates “Repeated Failed Logins Template” on page 173 and “Repeated Failed
su Commands Template” on page 176 exact a very low overhead on the system and
can be run in any schedule.
• Start with a single template and then see how many alerts you get. Determine if any
of these are security events, and if not, modify the template properties to remove the
spurious alerts.
• You may find software that is behaving incorrectly, such as writing to /opt
(considered a read-only file system), creating world-writable lock files (a security
issue), saving temporary data in /etc (should only be for configuration data).
Contact the software vendor about these programs.