HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
NOTE: In HP-UX 11i v1 and later, comprehensive stack buffer overflow protection,
which uses a combination of highly efficient software and existing memory management
hardware, protects against both known and unknown buffer overflow attacks without
sacrificing system performance. This protection is managed with the
executable_stack tunable kernel parameter. You can allow selected programs to
execute from the stack by marking them with the -es option of the chatr command.
Refer to executable_stack (5) and chatr (1) manpages and the Stack Buffer
Overflow Protection in HP-UX 11i white paper, available at http://www.docs.hp.com.
How this template is configured
Table A-2 lists the configurable properties the Buffer Overflow template supports.
Table A-2 Buffer Overflow Template Properties
Default ValueTypeProperty
root | daemon | bin | sys | adm | uucp
| lp | nuucp
III
priv_user_list
500VIII
unusual_arg_len
<empty>I
programs_to_not_watch
priv_user_list A list of system-level user IDs or users names.
Include users who have elevated access to the system
to this list. Only programs that run with an effective
user ID that equals one of the listed user IDs or
corresponds to one of the listed user names are
monitored for the use of unusually long arguments
or arguments with nonprintable characters. For higher
security, add the user IDs and user names of other
privileged accounts (for example, Webmaster or news
administrator), and do not remove the default user
IDs.
unusual_arg_len
An integer value set to an unusually long argument
length. Configure this property value can be to an
unusually long argument length for privileged
setuid executables run on the system, which can
indicate a buffer overflow attack.
programs_to_not_watch
Path names of programs that can be safely ignored.
Any buffer overflow alert for a program with a path
name is matched by a regular expression in this
property will be filtered out and not reported.
Buffer Overflow Template 147