HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

IMPORTANT: Specifying a program’s relative path name to ignore alerts is unsafe,

whether the path name refers to a script or an executable program. An attacker can

construct an attack script or program with the same relative path name, and alerts for

that program are filtered if the relative path name is specified as the value in a path

names / program pair.

NOTE: To filter alerts triggered by scripts that are invoked in one of the following

ways, the pathname of the script itself and not the shell should be specified in a

programs_X property:

For example, to filter the following alert:

User with uid 0 opened for modification/truncation

/etc/passwd (type=1,inode=5416,device=1073741827) when

executing

/usr/bin/sh(type=1,inode=13748,device=1073741829), invoked

as follows:

"sh -c /usr/local/bin/change_passwd.sh", as process with pid 28379

and ppid 28300 and running with effective uid=0 and with

effective gid=3

the following filter rules should be used:

pathnames_X | ^/etc/passwd$

programs_X | ^/usr/local/bin/change_passwd\.sh$

HIDS treats the first string of the program invocation as the pathname of the program

that triggered the alert. However, if the string is a pathname of a valid shell as defined

by shells(4), it filters based on the script pathname.

Type III: User Names/UIDs

Type III property values consists of lists of user names or user IDs that specify critical

users or users that the template is to explicitly take into account (type IIIa) or explicitly

ignore (type IIIb). The following template property specifies three critical user IDs and

three user names that determine the severity of an alert:

priv_user_list | 22 | 1 | 43

priv_user_list | root | bin | daemon

The following template property specifies that alerts are not generated if the following

three user IDs or user names are encountered:

users_to_ignore | 21 | 3 | 53

Template Property Types 143