Host Intrusion Detection System Administrator's Guide Release 3.1

Templates and Alerts
Login/Logout Template
Appendix A
171
Login/Logout Template
The vulnerability
addressed by this
template
Certain privileged user accounts (such as adm, bin, sys) are intended to be used by
system programs only for maintenance purposes. If these user accounts are enabled, and
an attacker has compromised one of these user account passwords, the system is
vulnerable to being compromised by an attacker either logging in to the system as a
privileged user or running the su command to assume the identity of a privileged user.
How this template
addresses the
vulnerability
The Login/Logout template monitors for the start and end of interactive user sessions.
Specifically, this template monitors sulog, wtmp on HP-UX 11i v1, and wtmps on
HP-UX 11i v2 for the following:
Successful remote logins whose utmp records are logged in utmp
Logouts
Successful su commands to switch to another user name
How this template
is configured
You can configure this template to only monitor logins, only logouts, or only su attempts,
to monitor all of them, or to monitor a subset of them (for example, logins and su but not
logouts).
You can configure it to generate an alert if someone begins an interactive session using a
privileged user account, such as adm, bin, sys, root,orids, and to ignore all other
users.
You can also configure the template to ignore logins and logouts by a small set of users
who are expected to be on the system during certain time periods and to generate alerts
for all other users. For example, on a database server, only the user dbmaint is expected
to log in during a specified maintenance period. No other users are expected to be using
the system during that period. The template can be configured to generate an alert at
the start and end of remote connections by all users during the maintenance period
except for the dbmaint user.
NOTE The uids_to_monitor property takes precedence over uids_to_ignore when both the
lists are set. If uids_to_monitor is not empty, values in uids_to_ignore are ignored.
Table A-19 Login/Logout Template Properties
Name Type Default Value
uids_to_ignore III <empty>
uids_to_monitor III <empty>
monitor_su_flag VII 1
monitor_login_flag VII 1
monitor_logout_flag VII 1
ip_filters V <empty>