Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
171172173174175176177178179180
NOTE: See Table B-1 (page 194) in Appendix B for the definition of additional
arguments that can be used to access specific alert information (for example, pid and
ppid) without parsing the string alert fields.
Limitations
The Modification of Another Users File template has no limitations.
Login/Logout Template
The vulnerability addressed by this template
Certain privileged user accounts (such as adm, bin, sys) are intended to be used by
system programs only for maintenance purposes. If these user accounts are enabled,
and an attacker has compromised one of these user account passwords, the system is
vulnerable to being compromised by an attacker either logging in to the system as a
privileged user or running the su command to assume the identity of a privileged user.
How this template addresses the vulnerability
The Login/Logout template monitors the start and end of interactive user sessions.
Specifically, this template monitors sulog, wtmp on HP-UX 11i v1, and wtmps on
HP-UX 11i v2 and HP-UX 11i v3 for the following:
Successful remote logins with utmp records are logged in utmp
Logouts
Successful su commands to switch to another user name
How this template is configured
You can configure this template to monitor only logins, only logouts, or only su
attempts, to monitor all of them, or to monitor a subset of them. For example, logins
and su but not logouts.
You can configure the Login/Logout template to generate an alert if someone begins
an interactive session using a privileged user account, such as adm, bin, sys, root, or
ids, and to ignore all other users.
You can also configure the template to ignore logins and logouts by a small set of users
who are expected to be on the system during certain time periods, and to generate
alerts for all other users. For example, on a database server, only the user dbmaint is
expected to log in during a specified maintenance period. No other users are expected
to be using the system during that period. The template can be configured to generate
an alert at the start and end of remote connections by all users during the maintenance
period except for the dbmaint user.
Login/Logout Template 179