Manualshelf

HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
111112113114115116117118119120
IMPORTANT: Specifying a program’s relative path name to ignore alerts is unsafe, whether the
path name refers to a script or an executable program. An attacker can construct an attack script
or program with the same relative path name, and alerts for that program are filtered if the
relative path name is specified as the value in a path names / program pair.
NOTE: To filter alerts triggered by scripts that are invoked in one of the following ways, the
pathname of the script itself and not the shell should be specified in a programs_X property:
<shell> <script pathname>
<shell> -c <script pathname>
<shell> -c exec <script pathname>
For example, to filter the following alert:
User with uid 0 opened for modification/truncation
/etc/passwd (type=1,inode=5416,device=1073741827) when
executing
/usr/bin/sh(type=1,inode=13748,device=1073741829), invoked
as follows:
"sh -c /usr/local/bin/change_passwd.sh", as process with pid 28379
and ppid 28300 and running with effective uid=0 and with
effective gid=3
the following filter rules should be used:
pathnames_X | ^/etc/passwd$
programs_X | ^/usr/local/bin/change_passwd\.sh$
HIDS treats the first string of the program invocation as the pathname of the program that
triggered the alert. However, if the string is a pathname of a valid shell as defined by shells(4),
it filters based on the script pathname.
Type III: User Names/UIDs
Type III property values consists of lists of user names or user IDs that specify critical users or
users that the template is to explicitly take into account (type IIIa) or explicitly ignore (type IIIb).
The following template property specifies three critical user IDs and three user names that
determine the severity of an alert:
priv_user_list | 22 | 1 | 43
priv_user_list | root | bin | daemon
The following template property specifies that alerts are not generated if the following three user
IDs or user names are encountered:
users_to_ignore | 21 | 3 | 53
users_to_ignore | root | bin | daemon
Type IV: User Name/UID Pairs
Type IV property values include pairs of user names or user IDs. This property type is currently
used only in the Modification of Another Users File Template. The two members of each pair
are separated by a comma. When an event is received for a file that is being monitored, the
following criteria are applied for every pair in the list:
The effective user ID of the process modifying the file corresponds to the first member of
the pair.
The owner of the file corresponds to the second member of the file.
If both of these conditions are met, no alert is issued.
Following is an example of this type of property value:
118 Templates and Alerts