Manualshelf

HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
101102103104105106107108109110
IMPORTANT: Specifying a program’s relative path name to ignore alerts is unsafe, whether the
path name refers to a script or an executable program. An attacker can construct an attack script
or program with the same relative path name, and alerts for that program are filtered if the relative
path name is specified as the value in a path names / program pair.
NOTE: To filter alerts triggered by scripts that are invoked in one of the following ways, the
pathname of the script itself and not the shell should be specified in a programs_X property:
<shell> <script pathname>
<shell> -c <script pathname>
<shell> -c exec <script pathname>
For example, to filter the following alert:
User with uid 0 opened for modification/truncation
/etc/passwd (type=1,inode=5416,device=1073741827) when
executing
/usr/bin/sh(type=1,inode=13748,device=1073741829), invoked
as follows:
"sh -c /usr/local/bin/change_passwd.sh", as process with pid 28379
and ppid 28300 and running with effective uid=0 and with
effective gid=3
the following filter rules should be used:
pathnames_X | ^/etc/passwd$
programs_X | ^/usr/local/bin/change_passwd\.sh$
HIDS treats the first string of the program invocation as the pathname of the program that triggered
the alert. However, if the string is a pathname of a valid shell as defined by shells(4), it filters based
on the script pathname.
Type III: User Names/UIDs
Type III property values consists of lists of user names or user IDs that specify critical users or users
that the template is to explicitly take into account (type IIIa) or explicitly ignore (type IIIb). The
following template property specifies three critical user IDs and three user names that determine
the severity of an alert:
priv_user_list | 22 | 1 | 43
priv_user_list | root | bin | daemon
The following template property specifies that alerts are not generated if the following three user
IDs or user names are encountered:
users_to_ignore | 21 | 3 | 53
users_to_ignore | root | bin | daemon
NOTE: Specifying user and group names are not supported for an agent running on a host where
HP-UX Container (HP-UX SRP) is configured, instead specify uid and gid. You can specify user and
group names for configuring Global SRP (init Container) .
Type IV: User Name/UID Pairs
Type IV property values include pairs of user names or user IDs. This property type is currently used
only in the Modification of Another User’s File Template. The two members of each pair are
separated by a comma. When an event is received for a file that is being monitored, the following
criteria are applied for every pair in the list:
The effective user ID of the process modifying the file corresponds to the first member of the
pair.
The owner of the file corresponds to the second member of the file.
110 Templates and Alerts