Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Templates and Alerts

Appendix A

167

The vulnerability

addressed by this

template

There are certain privileged user accounts (such as adm, bin, sys) that are intended to be

used by system programs only for maintenance purposes. If these user accounts are

enabled and an attacker has compromised one of these user account passwords, the

system is vulnerable to being compromised by an attacker either logging into the system

as a privileged user or running the su command to assume the identity of a privileged

user.

How this template

addresses the

vulnerability

The Login Logout template monitors for the start and end of interactive user sessions.

Speciﬁcally, this template monitors sulog, wtmp on HP-UX 11i v1, and wtmps on HP-UX

11i v2 for the following:

• Successful remote logins whose utmp records are logged in utmp[s]

• Logouts

• Successful su commands to switch to another user name

How this template

is conﬁgured

This template supports the following properties:

The template can be conﬁgured to only monitor logins, only logouts, or only su attempts,

to monitor all of them or to monitor a subset of them (e.g., logins and su but not logouts).

The template can be conﬁgured to generate an alert if someone begins an interactive

session using a privileged user account such as adm, bin, sys, root, or ids and to ignore

all other users.

The template can also be conﬁgured to ignore logins and logouts by a small set of users

that are expected to be on the system during certain time periods and to generate alerts

for all other users. For example, on a database server, only the user dbmaint is expected

to login during a speciﬁed maintenance period. No other users are expected to be using

the system during that period. The template can be conﬁgured to generate an alert at

the start and end of remote connections by all users during the maintenance period

except for the dbmaint user.

Table A-19 Template Properties

Name Type Default Value

uids_to_ignore III <empty>

uids_to_monitor III <empty>

monitor_su_flag VII 1

monitor_login_flag VII 1

monitor_logout_flag VII 1

ip_filters V <empty>