HP Host Intrusion Detection System (HIDS) Creation of Setuid File Template, Alerts generated

Page 167

Templates and Alerts

Creation of Setuid File Template

Creation of Setuid File Template

The vulnerability A setuid file is one that, if executed, will operate with the permissions of the owner of the addressed by this file, not of the person executing the file. One of the frequent back doors that an intruder

templatewill install on a system is the creation of a copy of the /bin/sh program that is setuid root. Such a file allows any command to be executed as the superuser.

How this template The Setuid (SUID) template detects the creation of files with setuid privileges owned by

addresses the privileged users by monitoring for the following: vulnerability

Modification of the file permissions to enable the setuid bit on a file owned by a privileged user.

Changing the owner of a setuid file to be owned by a privileged user.

Creation of a file that has the setuid bit set and owned by a privileged user.

By detecting the creation of a setuid file as soon as it occurs, the template can provide a timely security report to an administrator regarding a potential security intrusion. There are no known mechanisms in existence for the HP-UX operating system that can provide a near real-time report of the creation of setuid files.

How this template This template supports the following properties: is configured

Table A-13

Template Properties

 

 

 

 

 

 

 

Name

Type

Default Value

 

 

 

 

 

priv_uid_list

III

0 1 2 3 4 5 9 11

 

 

 

 

 

pathnames_X

II

<empty>

 

 

 

 

 

programs_X

II

<empty>

 

 

 

 

Properties

Property: priv_uid_list

 

 

A list of system-level user IDs.

 

This list should contain those users that are considered to have elevated access to the system. Removing any of these means that the creation of a setuid file owned by one of those users will not be detected by this template.

Properties: pathnames_X, programs_X

These properties can be used to filter out alerts generated when a particular program creates or enables a particular privileged setuid file. See “Type II: Pathnames/Programs Pairs” on page 130 for a detailed description of these property pairs.

Alerts generated

• “Setuid File Created” on page 156

by this template

 

Appendix A

155

Page 166 Page 168
Image 167
Page 166 Page 168
Contents Manufacturing Part Number J5083-90013 December HP-UX Host Intrusion Detection System Administrator’s GuideEdition Government License WarrantyIii TrademarksConventions Contents Schedule Manager Screen System Manager ScreenVii Host Manager ScreenNetwork Node Screen Viii Preferences ScreenTemplates and Alerts Agent Configuration File Idsagent CommandIdsadmin Command Automated ResponseHP Software License TroubleshootingMessages Original SSLeay License HP Software License Terms Xii Overview Documentation SummaryLoss of Computing Resources Why Do You Need Intrusion Detection?Loss of Financial Assets Loss of Intellectual PropertyMalicious Code Who Are the Perpetrators?How Are These Threats Realized? Misplaced TrustFirewalls Why Existing Tools Are Only Part of the SolutionExcessive Privilege for Simple Tasks Being Used as a Springboard to Attack the Next VictimSecurity Auditing Tools EncryptionWhat Is Intrusion Detection? Where Does Intrusion Detection Fit In?What HP-UX Hids Does What HP-UX Hids Does Not Do Graphic Representation HP-UX Hids ComponentsHP-UX Hids Components How the Components Interact to Detect IntrusionsSurveillance Schedules HP-UX Hids Secure CommunicationsDetection Templates Surveillance GroupsGlossary of HP-UX Hids Terms Node Intrusion Detection DataIntrusion Detection System KernelVulnerability System ManagerVirus Glossary of HP-UX Hids Terms Chapter Configuration Configuration Optional IntroductionRequired Create the X.509 Certificates Setting Up the HP-UX Hids Secure CommunicationsOverview of Procedures to Set Up Secure Communications Script to Use Where Used End Product$ IDSgenAdminKeys install $ IDSgenAgentCerts Transport the Certificates TIP$ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadmin Install the Keys on Each HostStep Configuring a Multihomed Agent System$ nslookup large2 ExampleTo configure a multihomed administration system Configuring a Multihomed Administration SystemEdit the agent configuration file for example To configure a loopback system Configuring a Loopback SystemWorking with Firewalls Configuring PortsWorking with NIS Select Kernel Configuration Select Configurable Parameters Enabling Large Numbers of AgentsEnabling Over 23 Agents Thread Limits To change the value of maxthreadprocTo view and change the value of tcpconnrequestmax Enabling Over 20 Inbound RequestsFiles Permissions Accessing ManpagesRestricting Permissions Runtime File PermissionsAccessing Manpages Chapter Getting Started Getting Started System Manager AgentsStarting HP-UX Hids for the First Time Set up hosts and run schedulesSee , Host Manager Screen, on Network Node Operations ScreensSchedule Manager Host ManagerSorting Entries Basic Screen ActionsSelecting Entries in Lists Searching EntriesBasic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen To stop the HP-UX Hids System Manager Starting the HP-UX Hids System ManagerStopping the HP-UX Hids System Manager To start the HP-UX Hids System ManagerStatus Value Description On the System Manager ScreenStatus Field Values On the System Manager screen Getting the Status of Agent HostsTo get the status of agent hosts To resynchronize agent hosts Resynchronizing Agent HostsChoose the Actions Activate Schedule menu item Activating a Schedule on Agent HostsTo activate a surveillance schedule on agent hosts To stop a surveillance schedule on agent hosts Stopping Schedules on Agent HostsTo start the agent Starting HP-UX Hids AgentsTo halt the agent locally on the agent host Halting HP-UX Hids AgentsTo halt agents remotely from the System Manager To go to the Schedule Manager screen Accessing Other ScreensGo to Schedule Manager Screen Go to Host Manager ScreenReturn to System Manager Screen Go to Network Node ScreenGo to Preferences Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager To create a surveillance schedule Creating a Surveillance ScheduleTo close the Schedule Manager screen Displaying the Schedule Manager ScreenClosing the Schedule Manager Screen To display the Schedule Manager screenTo create a new surveillance schedule Configuring Surveillance SchedulesCreating a New Surveillance Schedule Copying a Surveillance ScheduleTo modify a surveillance schedule Modifying a Surveillance ScheduleChoose File Save Selected Schedule As Renaming a Surveillance ScheduleTo rename a surveillance schedule To delete a surveillance schedule Deleting a Surveillance ScheduleUndoing and Redoing Changes Choose File Save Selected Schedule Saving a Surveillance ScheduleTo save a surveillance schedule To create a new surveillance group Configuring Surveillance GroupsCreating a New Surveillance Group Copying a Surveillance GroupTo modify a surveillance group Modifying a Surveillance GroupTo rename a surveillance group Renaming a Surveillance GroupRename Surveillance Group Dialog To delete a surveillance group Deleting a Surveillance GroupSaving a Surveillance Group To change the value of a property in a detection template Configuring Detection TemplatesModifying a Property Value In a Template To add a new value Edit List Dialog11Edit Dialog Edit Suggested Best PracticesSome Template Configuration Guidelines Setting Surveillance Schedule Timetables To specify when a schedule will run Specifying When a Schedule Will RunCanceling Changes See Saving a Surveillance Schedule on To view the source of a surveillance schedule Viewing Surveillance Schedule DetailsViewing the Source of a Surveillance Schedule Refreshing the Details DisplayTo clear the display Clearing the Details DisplaySaving the Details Display Save DialogPredefined Surveillance Schedules Predefined Surveillance Schedules and GroupsPredefined Surveillance Schedules Host Manager Screen Host Manager Screen Displaying the Host Manager Screen Managing HostsClosing the Host Manager Screen To add a new host manually Adding New HostsAdding a New Host Manually Add Host DialogIP Address Host NameAddress field To add new hosts from /etc/hosts Adding New Hosts from /etc/hostsName field Host Name and IP AddressTo add new hosts from a file Adding New Hosts from a FileRules for Host Lists Files Open DialogTo modify a host entry Modifying a HostTo delete a host entry Deleting HostsEnabling and Disabling Hosts To enable or disable an agent host for monitoringAdd, modify or delete tags To add a tag Managing TagsTo delete a tag To edit a tagSaving the Host List in a Different File Maintaining Host FilesSaving the Host List in the Current File Using Multiple Host Files Using an Alternate Host List FileMaintaining Host Files Chapter Network Node Screen 100 To display the Network Node screen for an agent host Network Node ScreenOpening a Network Node Screen Closing a Network Node Screen102 Alerts TabHP-UX Hids Alerts What They Mean, What to Do 104 Errors TabHP-UX Hids Errors What They Mean, What to Do Simple Version General OperationsSelecting Entries Selecting with the MouseFind Dialog Searching for the Next Unseen EntrySearching for a String To search again To delete one or more alerts or errorsDeleting an Entry Marking Entries as Seen or Unseen108 UnseenSaving a New Log File Set Saving a Log File SetNetwork Node screen from the System Manager screen Saving the Current Log File SetExample Saving the File Set over Another File Set Save Dialog BoxPress Ctrl-A Example Creating a New File SetOpen Dialog Box Opening a Log File SetLog File Rotation 112 Preferences Screen 114 Preferences Screen 116 Option Default DescriptionGeneral Preferences To choosing Actions Status Poll from the System ManagerActions Resync from the System Manager screen 118 Column Name Default DescriptionBrowser Preferences Alert Events PreferencesColumn Default Description Name Error Events Preferences120 System Manager SubtabTemplates and Alerts Templates AlertsLimitations Property TypesAttack Detected Alert Alert Severity Detection Template Alert SummaryTable A-1 Detection Templates 124 Appendix a 125 126 Unix Regular ExpressionsExamples Appendix a 127 128 LimitationsType I Pathnames to Not Monitor Template Property Types130 Type II Pathnames/Programs PairsType IV UID Pairs Type III UIDs132 Type V Network TripletsType VI Time Strings Type Viii Scalars Type VII Flags134 Buffer Overflow TemplateTable A-3 Execute on Stack Alert Properties Name Type Default ValueExecute on Stack Table A-2 Template Properties136 Table A-4 Unusual Argument Length Alert Properties Unusual Argument Length138 Argument with Non-printable CharacterAppendix a 139 140 Table A-6 Template Properties Race Condition Template142 File Reference ModificationTable A-7 File Reference Modification Alert Properties Appendix a 143 144 Privileged Setuid Script ExecutedTable A-8 Setuid Script Executed Alert Properties Appendix a 145 146 Modification of Files/Directories TemplateTable A-9 Template Properties Properties 148 Table A-10 File Being Modified Alert Properties File Being Modified150 Appendix a 151 152 Changes to Log File TemplateTable A-11 Template Properties Table A-12 Append-Only File Being Modified Alert Properties Append-Only File Being Modified154 By this template Creation of Setuid File TemplateTable A-13 Template Properties Alerts generated156 Setuid File CreatedTable A-14 Setuid File Created Alert Properties Appendix a 157 158 Creation of World-Writable File TemplateTable A-15 Template Properties Table A-16 World-writable File Created Alert Properties World-Writable File Created160 Appendix a 161 162 Table A-17 Template Properties Modification of Another User’s File Template164 Non-owned File Being ModifiedTable A-18 Non-owned File Being Modified Alert Properties Appendix a 165 Limitations 166 Table A-19 Template Properties Login/Logout Template168 Table A-20 Login/Logout Alert Properties Login/Logout170 Successful su DetectedTable A-21 Successful su Detected Alert Properties Appendix a 171 172 Template How this template Repeated Failed Logins TemplateTable A-22 Template Properties 174 Failed Login AttemptsTable A-23 Failed Login Attempts Alert Properties Appendix a 175 Table A-25 Repeated Failed Su Attempts Alert Properties Repeated Failed su Commands TemplateRepeated Failed su Attempts Table A-24 Template PropertiesAppendix a 177 178 Template Configuration SyntaxAppendix a 179 180 Automated Response 182 Response Methods General Guidelines184 Programming Notes How Automated Response Works in HP-UX HidsAlert Process Security checks186 Table B-1 Additional Arguments Passed to Response ProgramsAppendix B 187 188 Table B-3 Environment Variables Set for Response ProgramsName Value Description Appendix B 189 190 Programming GuidelinesWriting Perl vs. Shell Response Scripts Writing Privileged Response ProgramsCode for scriptA.sh Solution aCode Examples 192 Solution BCode for privA program Code for PrivB programSolution C 194 Code for privC programCode for scriptC.sh script #!/usr/bin/sh Sample Shell Script Alert Responses Sample Response ProgramsSample C Language Program Source Code 196 Forwarding InformationAppendix B 197 198 Halting any further attacksAppendix B 199 200 Preservation of evidenceAppendix B 201 202 Restoration of a known good stateHP OpenView Operations Smart Plug-In OVO Enablement in HP-UX Hids204 Idsagent Command 206 Synopsis Options Idsagent Command208 ExampleIdsadmin Command 210 Synopsis Startup Options Idsadmin Command212 CommandsAgent Configuration File 214 Forcing Active Agent to Reread Configuration File Agent Configuration File216 Name Default ValueGlobal Configuration Table E-1 Global Configuration VariablesDSP idskernDSP Parameters Data Source Process ConfigurationKernel Audit Data DSP Table E-2218 Correlator Configuration Variables Remote Communication ConfigurationTable E-3 220 Messages 222 Agent Messages Idsagent failed to start group Idsagent failed to reopen stderr in append modeIdsagent internal error in handling signature groups Idsagent failed to initialize configuration moduleIdsagent unable to setup Sigsegv signal handler Idsagent unable to setup Sigchld signal handlerIdsagent unable to setup Sighup signal handler Idsagent unable to setup signal handlerIdsagent failed to execute correlator corr Idsagent error trying to shutdown a processIdsagent failed to allocate memory Idsagent failed to create schedule path filenameIdsagent failed to initialize schedule in crontab Idsagent internal error no correlator in PMStartProcessesIdsagent internal error occurred in PMStopGroup Idsagent failed to initialize scheduleIdsagent out of process table space Idsagent not enough disk space to create scheduleIdsagent not enough disk space to parse schedule Idsagent not enough disk space to save config fileUnable to open the response script directory dir Internal errorInternal error unknown state System Manager Messages Invalid Property Value value Property Value Error Exception while opening file filename File Save ErrorIncomplete or Invalid Entry Data Entry Error Invalid Host State Unable to disable hostSelect Property to be edited Selection Error No more instances of searchstring found Find ErrorOnly one property may be edited at a time Selection Error Searchstring not found Find ErrorSelect Surveillance Schedule to delete Selection Error Select Surveillance Group Name to delete Selection ErrorSelect Surveillance Group to copy Selection Error Select Surveillance Schedule to copy Selection Error234 Surveillance Schedule not selected Schedule Selection ErrorFollowing hosts are in an invalid state for this command Unable to Overwrite filename File Save ErrorUnknown IP Address unable to resolve Host Name Unknown Host unable to resolve IP Address IPaddress236 Troubleshooting 238 Appendix G 239 240 TroubleshootingAgent and System Manager cannot communicate with each other $ /usr/sbin/kmtune -q enableidds Agent does not start on system boot242 Agent needs further troubleshootingTo clean up the IDS message queues Agent host appears to hang and/or you see message disk fullAlerts are not being displayed in the alert browser Agent does not start after installationAgents appear to be stuck in polling status Alert date/time sort seems inconsistent244 Idsadmin needs installed agent certificatesBuffer overflow triggers false positives Duplicate alerts appear in System ManagerIDSgenAdminKeys or idsgui quits early IDScheckInstall fails with a kmtune error246 Large files in /var/opt/idsLog files are filling up No Agent AvailableSchedule Manager timetable screen appears to hang SSH does not perform a clean exit after idsgent is started248 System Manager appears to hangSystem Manager does not start after idsgui is started IPFilter rules for HP-UX Hids Using HP-UX Hids with IPFilter and SecureShellUnknown program and arguments in certain alert messages 250 How to allow the SecureShell daemon to forward X11 trafficAppendix G 251 252 Appendix H 253 HP Software License254 OpenSSL LicenseAppendix H 255 Original SSLeay License256 HP Software License Terms 258
Related manuals
Manual 55 pages 31.55 Kb Manual 20 pages 7.92 Kb
Top Page Image Contents