Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
81828384858687888990
Determine if the system is in a maintenance mode at any time. Create a surveillance
schedule that is not active during maintenance time period.
During initial deployment of HIDS, customize a sample surveillance schedule and
run it for at least one day. After a sizable number of alerts are generated, run the
tune command to determine how many alerts are generated during normal system
usage. The tune command provides you with suggested filters to filter out these
alerts that are generated because of normal system activity.
You can continue the process of tuning schedules whenever you notice that HIDS
is generating a number of 'false positives.'
Some Template Configuration Guidelines
The “Race Condition Template” (page 152) imposes the highest overhead in terms
of CPU and memory consumption. HP recommends not to include this template
in the initial schedule.
NOTE: The race condition template checks, among other things, for the execution
of setuid scripts, which are vulnerable to a race condition attack. In HP-UX 11i
version 1.6 and later, the execution of setuid scripts is prevented by default by
the secure_sid_scripts tunable kernel parameter. See the secure_sid_scripts(5)
manpage for details.
The template “Modification of files/directories Template” (page 157), provides
real-time file change detection. Any modification made to any files or directories
within the directory tree specified in the template will be detected and reported.
However, the template can generate many alerts, which are not security relevant.
The “Files Modified by Program List/Program List” properties can be used to
ignore changes to certain files when they are performed by a known program. The
pathnames_to_not_watch property can be used to ignore directories and files
where changes to files are not considered as security risks.
The template “Modification of Another Users File Template” (page 175) generates
many alerts if not tuned correctly.
When tuning a template, consider the areas that impose great risk if the system is
penetrated. Obviously, replacing a program in /bin, /sbin or the kernel in
/stand is a serious threat.
Consider the areas that does not impose great risk if the system is penetrated. For
example, many files change under /var/adm path, and ignoring that directory is
usually safe. But if a symbolic link attack is launched from /var/adm, the attack
may not be detected. This is a trade-off decision.
The templates “Repeated Failed Logins Template” (page 185), “Repeated Failed
su Commands Template” (page 188) and “Login/Logout Template” (page 179) have
low overhead on the system and can be run in any schedule.
84 Using the Schedule Manager Screen