Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

Templates and Alerts

Alert Summary

Appendix A

124

A ﬁle with world writable permission

was created by a privileged user, or

the world writable bit was set on an

existing ﬁle owned by a privileged

user, or the owner of a world writable

ﬁle was changed to a privileged user

from a non-privileged user, or a

world writable ﬁle owned by a

privileged user was renamed from a

location that is not being monitored

to a location that is being monitored

World writable ﬁle

created

3 Creation of

World-Writable File

Template

A ﬁle was truncated, deleted, or

renamed by a user other than the

owner of the ﬁle

Non-owned ﬁle being

modiﬁed

2 Modiﬁcation of

Another User’s File

Template

A ﬁle’s mode or ownership was

modiﬁed by a user other than the

owner, or a ﬁle was opened for

modiﬁcation by a user other than the

owner of the ﬁle.

Non-owned ﬁle being

modiﬁed

3 Modiﬁcation of

Another User’s File

Template

A successful login as user "root" or

"ids"

Start of a successful

login session

2

a

Login/Logout

Template

A successful login as a user other

than "root" or "ids"

Start of a successful

login session

3

a

Login/Logout

Template

The logout of user "root" or "ids” End of a login session

2

Login/Logout

Template

The logout of a user other than "root"

or "ids"

End of a login session 3 Login/Logout

Template

A successful switch user (su) to

"root" or "ids"

Successful su session

2

Login/Logout

Template

A successful switch user (su) to a

user other than "root" or "ids"

Successful su session

3

Login/Logout

Template

Repeated attempts to login as user

"root" or "ids"

Failed login attempts 3 Repeated Failed

Logins Template

Repeated attempts to login as a user

other than "root" or "ids"

Failed login attempts 3 Repeated Failed

Logins Template

Repeated attempts to switch user to

"root" or "ids"

Failed su attempts 2 Repeated Failed su

Commands Template

Repeated attempts to switch user to

a user other than "root" or "ids"

Failed su attempts 3 Repeated Failed su

Commands Template

Table A-1 Detection Templates (Continued)

Attack Detected Alert Alert Severity Detection Template