HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
NOTE: In HP-UX 11i v2 and later, comprehensive stack buffer overflow protection, which uses
a combination of highly efficient software and existing memory management hardware, protects
against both known and unknown buffer overflow attacks without sacrificing system performance.
This protection is managed with the executable_stack tunable kernel parameter. You can
allow selected programs to execute from the stack by marking them with the -es option of the
chatr command. Refer to executable_stack (5) and chatr (1) manpages and the Stack
Buffer Overflow Protection in HP-UX 11i white paper, available at http://www.docs.hp.com.
How this template is configured
Table A-2 lists the configurable properties the Buffer Overflow template supports.
Table 12 Buffer Overflow Template Properties
Default ValueTypeProperty
root | daemon | bin | sys | adm | uucp |
lp | nuucp
IIIpriv_user_list
500VIIIunusual_arg_len
<empty>Iprograms_to_not_watch
priv_user_list A list of system-level user IDs or users names.
Include users who have elevated access to the system to this list.
Only programs that run with an effective user ID that equals one
of the listed user IDs or corresponds to one of the listed user
names are monitored for the use of unusually long arguments or
arguments with nonprintable characters. For higher security, add
the user IDs and user names of other privileged accounts (for
example, Webmaster or news administrator), and do not remove
the default user IDs.
unusual_arg_len An integer value set to an unusually long argument length.
Configure this property value can be to an unusually long
argument length for privileged setuid executables run on the
system, which can indicate a buffer overflow attack.
programs_to_not_watch Path names of programs that can be safely ignored.
Any buffer overflow alert for a program with a path name is
matched by a regular expression in this property will be filtered
out and not reported.
Alerts generated by this template
The following alerts are generated by the Buffer Overflow template:
• “Execute on Stack” (page 114)
• “Unusual Argument Length” (page 115)
• “Argument with Nonprintable Character” (page 116)
Execute on Stack
Table 13 lists the alerts that this template generates and forwards to a response program when an
execute-on-stack condition is detected by the HP-UX 11i kernel.
114 Templates and Alerts