Manualshelf

HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
101102103104105106107108109110
pathnames_2 | f2
programs_2 | p1 & p2 & p3
Or to the following set of six lines:
pathnames_1 | f1 & f2
programs_1 | p1
pathnames_2 | f1 & f2
programs_2 | p2
pathnames_3 | f1 & f2
programs_3 | p3
However, it is not equal to the following lines:
pathnames_1 | f1
programs_1 | p1 & p2 & p3
pathnames_2 | f2
programs_2 | p1 & p3
This provides granularity for specifying their file- monitoring dependencies. That is, in the last
example an alert for f2 is generated if the event was triggered by p2, in contrast to what happens
when any of the three previous examples are used.
IMPORTANT: Specifying a program’s relative path name to ignore alerts is unsafe, whether the
path name refers to a script or an executable program. An attacker can construct an attack script
or program with the same relative path name, and alerts for that program are filtered if the relative
path name is specified as the value in a path names / program pair.
NOTE: To filter alerts triggered by scripts that are invoked in one of the following ways, the
pathname of the script itself and not the shell should be specified in a programs_X property:
<shell> <script pathname>
<shell> -c <script pathname>
<shell> -c exec <script pathname>
For example, to filter the following alert:
User with uid 0 opened for modification/truncation
/etc/passwd (type=1,inode=5416,device=1073741827) when
executing
/usr/bin/sh(type=1,inode=13748,device=1073741829), invoked
as follows:
"sh -c /usr/local/bin/change_passwd.sh", as process with pid 28379
and ppid 28300 and running with effective uid=0 and with
effective gid=3
the following filter rules should be used:
pathnames_X | ^/etc/passwd$
programs_X | ^/usr/local/bin/change_passwd\.sh$
HIDS treats the first string of the program invocation as the pathname of the program that triggered
the alert. However, if the string is a pathname of a valid shell as defined by shells(4), it filters based
on the script pathname.
Type III: User Names/UIDs
Type III property values consists of lists of user names or user IDs that specify critical users or users
that the template is to explicitly take into account (type IIIa) or explicitly ignore (type IIIb). The
following template property specifies three critical user IDs and three user names that determine
the severity of an alert:
priv_user_list | 22 | 1 | 43
priv_user_list | root | bin | daemon
108 Templates and Alerts