HP Host Intrusion Detection System (HIDS) manual Modiﬁcation of Another User’s File Template

Page 175

Templates and Alerts

Modiﬁcation of Another User’s File Template

Modiﬁcation of Another User’s File Template

The vulnerability In many environments, users are expected to be working with their own ﬁles. An addressed by this attacker attempting to compromise the security of a system might cause a system

templateprogram to modify various ﬁles owned by other system users. Because many daemons run as a particular user, this template may generate an alert when a compromised daemon causes such an attack.

How this template The template, also known as the Not Owned (NO) template, monitors ﬁles that are

addresses the deleted, renamed, modiﬁed or are open to be modiﬁed by users that do not own the ﬁles,

vulnerability where a ﬁle can be a regular ﬁle, a directory, a symbolic link or a special ﬁle. Speciﬁcally, the template monitors the following modiﬁcations or potential modiﬁcations of "non-owned" ﬁles.

•Monitors for successful attempts to open a regular or special ﬁle to write or append, or to truncate the ﬁle by users who do not own the ﬁle even though the ﬁle’s group permissions speciﬁes write permission. Also monitors for successful attempts to delete or rename regular ﬁles, directories, symbolic links, or special ﬁles.

•Monitors for changes in ownership or ﬁle permissions of ﬁles by users who do not own the ﬁle.

This template does not determine that a ﬁle’s contents were changed, only that a change might have been made (i.e., it does not watch the content of the ﬁles, only that a ﬁle was opened with write permission). Instead of monitoring write(2) calls that modify ﬁles, successful opens to write to or truncate the ﬁle by non-owners are monitored to provide early detection of processes that might modify ﬁles.

How this template This template supports the following properties: is conﬁgured

Table A-17	Template Properties

	Name	Type	Default Value

	pathnames_to_not_watch	I	^/dev/null$ ^/etc/rc˙log$ ^/dev/tty$
			^/var/opt/OV/tmp/OpC/ ^/var/spool/
			sockets/pwgr/ ^/dev/pts/

	uids_to_ignore	III	<empty>

	uid_pairs_to_ignore	IV	0,1 0,2 0,3 0,4

	pathnames_1	II	^/var/adm/wtmp$ & ^/dev/tty$
			^/var/adm/sulog$ & ^/dev/log$ & ^/dev/tty$

	programs_1	II	^/usr/lbin/rlogind$ & ^/usr/bin/login$ &
			^/usr/lbin/telnetd$ & ^/usr/lbin/ftpd$ &
			^/usr/bin/tset$ ^/usr/bin/su$

	pathnames_X	II	<empty>

	programs_X	II	<empty>

Appendix A

163

Image 175

Contents Edition HP-UX Host Intrusion Detection System Administrator’s GuideManufacturing Part Number J5083-90013 December Government License WarrantyIii TrademarksConventions Contents Schedule Manager Screen System Manager ScreenNetwork Node Screen Host Manager ScreenVii Templates and Alerts Preferences ScreenViii Agent Conﬁguration File Idsagent CommandIdsadmin Command Automated ResponseMessages TroubleshootingHP Software License Original SSLeay License HP Software License Terms Xii Overview Documentation SummaryLoss of Computing Resources Why Do You Need Intrusion Detection?Loss of Financial Assets Loss of Intellectual PropertyMalicious Code Who Are the Perpetrators?How Are These Threats Realized? Misplaced TrustFirewalls Why Existing Tools Are Only Part of the SolutionExcessive Privilege for Simple Tasks Being Used as a Springboard to Attack the Next VictimSecurity Auditing Tools EncryptionWhat Is Intrusion Detection? Where Does Intrusion Detection Fit In?What HP-UX Hids Does What HP-UX Hids Does Not Do Graphic Representation HP-UX Hids ComponentsHP-UX Hids Components How the Components Interact to Detect IntrusionsSurveillance Schedules HP-UX Hids Secure CommunicationsDetection Templates Surveillance GroupsGlossary of HP-UX Hids Terms Node Intrusion Detection DataIntrusion Detection System KernelVirus System ManagerVulnerability Glossary of HP-UX Hids Terms Chapter Conﬁguration Conﬁguration Required IntroductionOptional Create the X.509 Certiﬁcates Setting Up the HP-UX Hids Secure CommunicationsOverview of Procedures to Set Up Secure Communications Script to Use Where Used End Product$ IDSgenAdminKeys install $ IDSgenAgentCerts Transport the Certiﬁcates TIP$ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadmin Install the Keys on Each HostStep Conﬁguring a Multihomed Agent System$ nslookup large2 ExampleTo conﬁgure a multihomed administration system Conﬁguring a Multihomed Administration SystemEdit the agent conﬁguration ﬁle for example To conﬁgure a loopback system Conﬁguring a Loopback SystemWorking with NIS Conﬁguring PortsWorking with Firewalls Select Kernel Conﬁguration Select Conﬁgurable Parameters Enabling Large Numbers of AgentsEnabling Over 23 Agents Thread Limits To change the value of maxthreadprocTo view and change the value of tcpconnrequestmax Enabling Over 20 Inbound RequestsFiles Permissions Accessing ManpagesRestricting Permissions Runtime File PermissionsAccessing Manpages Chapter Getting Started Getting Started System Manager AgentsStarting HP-UX Hids for the First Time Set up hosts and run schedulesSee , Host Manager Screen, on Network Node Operations ScreensSchedule Manager Host ManagerSorting Entries Basic Screen ActionsSelecting Entries in Lists Searching EntriesBasic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen To stop the HP-UX Hids System Manager Starting the HP-UX Hids System ManagerStopping the HP-UX Hids System Manager To start the HP-UX Hids System ManagerStatus Field Values On the System Manager ScreenStatus Value Description To get the status of agent hosts Getting the Status of Agent HostsOn the System Manager screen To resynchronize agent hosts Resynchronizing Agent HostsTo activate a surveillance schedule on agent hosts Activating a Schedule on Agent HostsChoose the Actions Activate Schedule menu item To stop a surveillance schedule on agent hosts Stopping Schedules on Agent HostsTo start the agent Starting HP-UX Hids AgentsTo halt agents remotely from the System Manager Halting HP-UX Hids AgentsTo halt the agent locally on the agent host To go to the Schedule Manager screen Accessing Other ScreensGo to Schedule Manager Screen Go to Host Manager ScreenGo to Preferences Screen Go to Network Node ScreenReturn to System Manager Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager To create a surveillance schedule Creating a Surveillance ScheduleTo close the Schedule Manager screen Displaying the Schedule Manager ScreenClosing the Schedule Manager Screen To display the Schedule Manager screenTo create a new surveillance schedule Conﬁguring Surveillance SchedulesCreating a New Surveillance Schedule Copying a Surveillance ScheduleTo modify a surveillance schedule Modifying a Surveillance ScheduleTo rename a surveillance schedule Renaming a Surveillance ScheduleChoose File Save Selected Schedule As Undoing and Redoing Changes Deleting a Surveillance ScheduleTo delete a surveillance schedule To save a surveillance schedule Saving a Surveillance ScheduleChoose File Save Selected Schedule To create a new surveillance group Conﬁguring Surveillance GroupsCreating a New Surveillance Group Copying a Surveillance GroupTo modify a surveillance group Modifying a Surveillance GroupRename Surveillance Group Dialog Renaming a Surveillance GroupTo rename a surveillance group Saving a Surveillance Group Deleting a Surveillance GroupTo delete a surveillance group Modifying a Property Value In a Template Conﬁguring Detection TemplatesTo change the value of a property in a detection template To add a new value Edit List Dialog11Edit Dialog Edit Suggested Best PracticesSome Template Conﬁguration Guidelines Setting Surveillance Schedule Timetables To specify when a schedule will run Specifying When a Schedule Will RunCanceling Changes See Saving a Surveillance Schedule on To view the source of a surveillance schedule Viewing Surveillance Schedule DetailsViewing the Source of a Surveillance Schedule Refreshing the Details DisplayTo clear the display Clearing the Details DisplaySaving the Details Display Save DialogPredeﬁned Surveillance Schedules Predeﬁned Surveillance Schedules and GroupsPredeﬁned Surveillance Schedules Host Manager Screen Host Manager Screen Displaying the Host Manager Screen Managing HostsClosing the Host Manager Screen To add a new host manually Adding New HostsAdding a New Host Manually Add Host DialogAddress ﬁeld Host NameIP Address To add new hosts from /etc/hosts Adding New Hosts from /etc/hostsName ﬁeld Host Name and IP AddressTo add new hosts from a ﬁle Adding New Hosts from a FileRules for Host Lists Files Open DialogTo modify a host entry Modifying a HostTo delete a host entry Deleting HostsEnabling and Disabling Hosts To enable or disable an agent host for monitoringAdd, modify or delete tags To add a tag Managing TagsTo delete a tag To edit a tagSaving the Host List in the Current File Maintaining Host FilesSaving the Host List in a Different File Using Multiple Host Files Using an Alternate Host List FileMaintaining Host Files Chapter Network Node Screen 100 To display the Network Node screen for an agent host Network Node ScreenOpening a Network Node Screen Closing a Network Node Screen102 Alerts TabHP-UX Hids Alerts What They Mean, What to Do HP-UX Hids Errors What They Mean, What to Do Errors Tab104 Simple Version General OperationsSelecting Entries Selecting with the MouseSearching for a String Searching for the Next Unseen EntryFind Dialog To search again To delete one or more alerts or errorsDeleting an Entry Marking Entries as Seen or Unseen108 UnseenSaving a New Log File Set Saving a Log File SetNetwork Node screen from the System Manager screen Saving the Current Log File SetExample Saving the File Set over Another File Set Save Dialog BoxPress Ctrl-A Example Creating a New File SetLog File Rotation Opening a Log File SetOpen Dialog Box 112 Preferences Screen 114 Preferences Screen 116 Option Default DescriptionGeneral Preferences To choosing Actions Status Poll from the System ManagerActions Resync from the System Manager screen 118 Column Name Default DescriptionBrowser Preferences Alert Events PreferencesColumn Default Description Name Error Events Preferences120 System Manager SubtabTemplates and Alerts Templates AlertsLimitations Property TypesTable A-1 Detection Templates Alert SummaryAttack Detected Alert Alert Severity Detection Template 124 Appendix a 125 Examples Unix Regular Expressions126 Appendix a 127 128 LimitationsType I Pathnames to Not Monitor Template Property Types130 Type II Pathnames/Programs PairsType IV UID Pairs Type III UIDsType VI Time Strings Type V Network Triplets132 Type Viii Scalars Type VII Flags134 Buffer Overﬂow TemplateTable A-3 Execute on Stack Alert Properties Name Type Default ValueExecute on Stack Table A-2 Template Properties136 Table A-4 Unusual Argument Length Alert Properties Unusual Argument Length138 Argument with Non-printable CharacterAppendix a 139 140 Table A-6 Template Properties Race Condition TemplateTable A-7 File Reference Modiﬁcation Alert Properties File Reference Modiﬁcation142 Appendix a 143 Table A-8 Setuid Script Executed Alert Properties Privileged Setuid Script Executed144 Appendix a 145 Table A-9 Template Properties Modiﬁcation of Files/Directories Template146 Properties 148 Table A-10 File Being Modiﬁed Alert Properties File Being Modiﬁed150 Appendix a 151 Table A-11 Template Properties Changes to Log File Template152 Table A-12 Append-Only File Being Modiﬁed Alert Properties Append-Only File Being Modiﬁed154 By this template Creation of Setuid File TemplateTable A-13 Template Properties Alerts generatedTable A-14 Setuid File Created Alert Properties Setuid File Created156 Appendix a 157 Table A-15 Template Properties Creation of World-Writable File Template158 Table A-16 World-writable File Created Alert Properties World-Writable File Created160 Appendix a 161 162 Table A-17 Template Properties Modiﬁcation of Another User’s File TemplateTable A-18 Non-owned File Being Modiﬁed Alert Properties Non-owned File Being Modiﬁed164 Appendix a 165 Limitations 166 Table A-19 Template Properties Login/Logout Template168 Table A-20 Login/Logout Alert Properties Login/LogoutTable A-21 Successful su Detected Alert Properties Successful su Detected170 Appendix a 171 172 Table A-22 Template Properties Repeated Failed Logins TemplateTemplate How this template Table A-23 Failed Login Attempts Alert Properties Failed Login Attempts174 Appendix a 175 Table A-25 Repeated Failed Su Attempts Alert Properties Repeated Failed su Commands TemplateRepeated Failed su Attempts Table A-24 Template PropertiesAppendix a 177 178 Template Conﬁguration SyntaxAppendix a 179 180 Automated Response 182 Response Methods General Guidelines184 Programming Notes How Automated Response Works in HP-UX HidsAlert Process Security checks186 Table B-1 Additional Arguments Passed to Response ProgramsAppendix B 187 Name Value Description Table B-3 Environment Variables Set for Response Programs188 Appendix B 189 190 Programming GuidelinesWriting Perl vs. Shell Response Scripts Writing Privileged Response ProgramsCode Examples Solution aCode for scriptA.sh 192 Solution BCode for privA program Code for PrivB programSolution C Code for scriptC.sh script #!/usr/bin/sh Code for privC program194 Sample C Language Program Source Code Sample Response ProgramsSample Shell Script Alert Responses 196 Forwarding InformationAppendix B 197 198 Halting any further attacksAppendix B 199 200 Preservation of evidenceAppendix B 201 202 Restoration of a known good stateHP OpenView Operations Smart Plug-In OVO Enablement in HP-UX Hids204 Idsagent Command 206 Synopsis Options Idsagent Command208 ExampleIdsadmin Command 210 Synopsis Startup Options Idsadmin Command212 CommandsAgent Conﬁguration File 214 Forcing Active Agent to Reread Conﬁguration File Agent Conﬁguration File216 Name Default ValueGlobal Conﬁguration Table E-1 Global Conﬁguration VariablesDSP idskernDSP Parameters Data Source Process ConﬁgurationKernel Audit Data DSP Table E-2218 Table E-3 Remote Communication ConﬁgurationCorrelator Conﬁguration Variables 220 Messages 222 Agent Messages Idsagent failed to start group Idsagent failed to reopen stderr in append modeIdsagent internal error in handling signature groups Idsagent failed to initialize conﬁguration moduleIdsagent unable to setup Sigsegv signal handler Idsagent unable to setup Sigchld signal handlerIdsagent unable to setup Sighup signal handler Idsagent unable to setup signal handlerIdsagent failed to execute correlator corr Idsagent error trying to shutdown a processIdsagent failed to allocate memory Idsagent failed to create schedule path ﬁlenameIdsagent failed to initialize schedule in crontab Idsagent internal error no correlator in PMStartProcessesIdsagent internal error occurred in PMStopGroup Idsagent failed to initialize scheduleIdsagent out of process table space Idsagent not enough disk space to create scheduleIdsagent not enough disk space to parse schedule Idsagent not enough disk space to save conﬁg ﬁleInternal error unknown state Internal errorUnable to open the response script directory dir System Manager Messages Invalid Property Value value Property Value Error Exception while opening ﬁle filename File Save ErrorIncomplete or Invalid Entry Data Entry Error Invalid Host State Unable to disable hostSelect Property to be edited Selection Error No more instances of searchstring found Find ErrorOnly one property may be edited at a time Selection Error Searchstring not found Find ErrorSelect Surveillance Schedule to delete Selection Error Select Surveillance Group Name to delete Selection ErrorSelect Surveillance Group to copy Selection Error Select Surveillance Schedule to copy Selection Error234 Surveillance Schedule not selected Schedule Selection ErrorFollowing hosts are in an invalid state for this command Unable to Overwrite filename File Save ErrorUnknown IP Address unable to resolve Host Name Unknown Host unable to resolve IP Address IPaddress236 Troubleshooting 238 Appendix G 239 Agent and System Manager cannot communicate with each other Troubleshooting240 $ /usr/sbin/kmtune -q enableidds Agent does not start on system boot242 Agent needs further troubleshootingTo clean up the IDS message queues Agent host appears to hang and/or you see message disk fullAlerts are not being displayed in the alert browser Agent does not start after installationAgents appear to be stuck in polling status Alert date/time sort seems inconsistent244 Idsadmin needs installed agent certiﬁcatesBuffer overﬂow triggers false positives Duplicate alerts appear in System ManagerIDSgenAdminKeys or idsgui quits early IDScheckInstall fails with a kmtune error246 Large ﬁles in /var/opt/idsLog ﬁles are ﬁlling up No Agent AvailableSchedule Manager timetable screen appears to hang SSH does not perform a clean exit after idsgent is startedSystem Manager does not start after idsgui is started System Manager appears to hang248 Unknown program and arguments in certain alert messages Using HP-UX Hids with IPFilter and SecureShellIPFilter rules for HP-UX Hids 250 How to allow the SecureShell daemon to forward X11 trafﬁcAppendix G 251 252 Appendix H 253 HP Software License254 OpenSSL LicenseAppendix H 255 Original SSLeay License256 HP Software License Terms 258

Related manuals

Manual 55 pages 31.55 Kb

Manual 20 pages 7.92 Kb