HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
kernel. The template monitors privileged setuid programs where the effective user ID euid is not
equal to the real user ID ruid and the euid is one of the user IDs specified in the template’s property
list of privileged users; for example, root.
Specifically, the template monitors privileged setuid programs for the following:
• The privileged setuid program was invoked with an unusually long program argument.
• The privileged setuid program was invoked with program arguments that contain nonprintable
characters (for example, possible CPU opcodes).
The template also reports when the kernel detects that a program has attempted to execute on its
stack, perhaps as part of a stack buffer overflow attack.
NOTE: In HP-UX 11i v2 and later, comprehensive stack buffer overflow protection, which uses
a combination of highly efficient software and existing memory management hardware, protects
against both known and unknown buffer overflow attacks without sacrificing system performance.
This protection is managed with the executable_stack tunable kernel parameter. You can
allow selected programs to execute from the stack by marking them with the -es option of the
chatr command. Refer to executable_stack (5) and chatr (1) manpages and the Stack
Buffer Overflow Protection in HP-UX 11i white paper, available at http://www.docs.hp.com.
How this template is configured
Table A-2 lists the configurable properties the Buffer Overflow template supports.
Table 12 Buffer Overflow Template Properties
Default ValueTypeProperty
root | daemon | bin | sys | adm | uucp |
lp | nuucp
IIIpriv_user_list
500VIIIunusual_arg_len
<empty>Iprograms_to_not_watch
priv_user_list A list of system-level user IDs or users names.
Include users who have elevated access to the system to this list.
Only programs that run with an effective user ID that equals one
of the listed user IDs or corresponds to one of the listed user
names are monitored for the use of unusually long arguments or
arguments with nonprintable characters. For higher security, add
the user IDs and user names of other privileged accounts (for
example, Webmaster or news administrator), and do not remove
the default user IDs.
unusual_arg_len An integer value set to an unusually long argument length.
Configure this property value can be to an unusually long
argument length for privileged setuid executables run on the
system, which can indicate a buffer overflow attack.
programs_to_not_watch Path names of programs that can be safely ignored.
Any buffer overflow alert for a program with a path name is
matched by a regular expression in this property will be filtered
out and not reported.
Alerts generated by this template
The following alerts are generated by the Buffer Overflow template:
• “Execute on Stack” (page 113)
• “Unusual Argument Length” (page 113)
• “Argument with Nonprintable Character” (page 114)
112 Templates and Alerts