HP Host Intrusion Detection System (HIDS) manual Alerts generated, 168

Page 180

Templates and Alerts

Login/Logout Template

NOTE

uids_to_monitor takes precedence over uids_to_ignore when both the lists are set. If

 

uids_to_monitor is not empty, values in uids_to_ignore are ignored.

 

Property: uids_to_ignore

 

 

User ids in this list will allow those users to login, logout and su without generating

 

an alert.

 

Property: uids_to_monitor

 

Alerts are generated when the user ids in this list login, logout or su if the

 

corresponding monitor_*_flag is set to 1.

 

Property: monitor_su_flag

 

When set to 1, the template will monitor successful su attempts by users specified in

 

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

 

uids_to_ignore.

 

Property: monitor_login_flag

 

When set to 1, the template will monitor successful logins by users specified in

 

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

 

uids_to_ignore.

 

Property: monitor_logout_flag

 

When set to 1, the template will monitor successful logouts by users specified in

 

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

 

uids_to_ignore.

 

Property: ip_filters

 

Contains a list of triplets {ip_address, mask, severity}.

 

This property filters login alerts and determines the alert’s severity based on which

 

remote host or network the login was made from. If a login’s remote host IP address

 

matches one of the triplet’s IP address qualified by the triplet’s network mask, then

 

the alert severity is set to the corresponding triplet’s severity. A severity level of 0

 

indicates an alert for a login event with a matching remote IP address will be filtered

 

except for user root and ids. If a login event’s remote host IP address does not match

 

any triplet, then a severe (severity=2) alert is generated for root and ids users and a

 

moderate (severity=3) alert for all other users. The value of the mask must be set to

 

255.255.255.255 if the ip_address is a host address; otherwise, the mask must be

 

set to the network mask to qualify the value in ip_address as a network address.

 

Host address filtering is only applied to those login events that are not filtered out by

 

the uids_to_ignore and uids_to_monitor template properties.

Alerts generated

• “Login/Logout” on page 169

by this template

• “Successful su Detected” on page 170

 

168

Appendix A

Page 179 Page 181
Image 180
Page 179 Page 181
Contents HP-UX Host Intrusion Detection System Administrator’s Guide EditionManufacturing Part Number J5083-90013 December Warranty Government LicenseTrademarks IiiConventions Contents System Manager Screen Schedule Manager ScreenHost Manager Screen Network Node ScreenVii Preferences Screen Templates and AlertsViii Idsagent Command Idsadmin CommandAutomated Response Agent Configuration FileTroubleshooting MessagesHP Software License Original SSLeay License HP Software License Terms Xii Overview Summary DocumentationWhy Do You Need Intrusion Detection? Loss of Financial AssetsLoss of Intellectual Property Loss of Computing ResourcesWho Are the Perpetrators? How Are These Threats Realized?Misplaced Trust Malicious CodeWhy Existing Tools Are Only Part of the Solution Excessive Privilege for Simple TasksBeing Used as a Springboard to Attack the Next Victim FirewallsEncryption Security Auditing ToolsWhere Does Intrusion Detection Fit In? What Is Intrusion Detection?What HP-UX Hids Does What HP-UX Hids Does Not Do HP-UX Hids Components Graphic RepresentationHow the Components Interact to Detect Intrusions HP-UX Hids ComponentsHP-UX Hids Secure Communications Detection TemplatesSurveillance Groups Surveillance SchedulesGlossary of HP-UX Hids Terms Intrusion Detection Data Intrusion Detection SystemKernel NodeSystem Manager VirusVulnerability Glossary of HP-UX Hids Terms Chapter Configuration Configuration Introduction RequiredOptional Setting Up the HP-UX Hids Secure Communications Overview of Procedures to Set Up Secure CommunicationsScript to Use Where Used End Product Create the X.509 Certificates$ IDSgenAdminKeys install $ IDSgenAgentCerts TIP Transport the CertificatesInstall the Keys on Each Host $ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadminConfiguring a Multihomed Agent System StepExample $ nslookup large2Configuring a Multihomed Administration System To configure a multihomed administration systemEdit the agent configuration file for example Configuring a Loopback System To configure a loopback systemConfiguring Ports Working with NISWorking with Firewalls Enabling Large Numbers of Agents Enabling Over 23 Agents Thread LimitsTo change the value of maxthreadproc Select Kernel Configuration Select Configurable ParametersEnabling Over 20 Inbound Requests To view and change the value of tcpconnrequestmaxAccessing Manpages Restricting PermissionsRuntime File Permissions Files PermissionsAccessing Manpages Chapter Getting Started Getting Started Agents System ManagerSet up hosts and run schedules Starting HP-UX Hids for the First TimeSee , Host Manager Screen, on Operations Screens Schedule ManagerHost Manager Network NodeBasic Screen Actions Selecting Entries in ListsSearching Entries Sorting EntriesBasic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen Starting the HP-UX Hids System Manager Stopping the HP-UX Hids System ManagerTo start the HP-UX Hids System Manager To stop the HP-UX Hids System ManagerOn the System Manager Screen Status Field ValuesStatus Value Description Getting the Status of Agent Hosts To get the status of agent hostsOn the System Manager screen Resynchronizing Agent Hosts To resynchronize agent hostsActivating a Schedule on Agent Hosts To activate a surveillance schedule on agent hostsChoose the Actions Activate Schedule menu item Stopping Schedules on Agent Hosts To stop a surveillance schedule on agent hostsStarting HP-UX Hids Agents To start the agentHalting HP-UX Hids Agents To halt agents remotely from the System ManagerTo halt the agent locally on the agent host Accessing Other Screens Go to Schedule Manager ScreenGo to Host Manager Screen To go to the Schedule Manager screenGo to Network Node Screen Go to Preferences ScreenReturn to System Manager Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager Creating a Surveillance Schedule To create a surveillance scheduleDisplaying the Schedule Manager Screen Closing the Schedule Manager ScreenTo display the Schedule Manager screen To close the Schedule Manager screenConfiguring Surveillance Schedules Creating a New Surveillance ScheduleCopying a Surveillance Schedule To create a new surveillance scheduleModifying a Surveillance Schedule To modify a surveillance scheduleRenaming a Surveillance Schedule To rename a surveillance scheduleChoose File Save Selected Schedule As Deleting a Surveillance Schedule Undoing and Redoing ChangesTo delete a surveillance schedule Saving a Surveillance Schedule To save a surveillance scheduleChoose File Save Selected Schedule Configuring Surveillance Groups Creating a New Surveillance GroupCopying a Surveillance Group To create a new surveillance groupModifying a Surveillance Group To modify a surveillance groupRenaming a Surveillance Group Rename Surveillance Group DialogTo rename a surveillance group Deleting a Surveillance Group Saving a Surveillance GroupTo delete a surveillance group Configuring Detection Templates Modifying a Property Value In a TemplateTo change the value of a property in a detection template Edit List Dialog To add a new valueSuggested Best Practices 11Edit Dialog EditSome Template Configuration Guidelines Setting Surveillance Schedule Timetables Specifying When a Schedule Will Run To specify when a schedule will runCanceling Changes See Saving a Surveillance Schedule on Viewing Surveillance Schedule Details Viewing the Source of a Surveillance ScheduleRefreshing the Details Display To view the source of a surveillance scheduleClearing the Details Display Saving the Details DisplaySave Dialog To clear the displayPredefined Surveillance Schedules and Groups Predefined Surveillance SchedulesPredefined Surveillance Schedules Host Manager Screen Host Manager Screen Managing Hosts Displaying the Host Manager ScreenClosing the Host Manager Screen Adding New Hosts Adding a New Host ManuallyAdd Host Dialog To add a new host manuallyHost Name Address fieldIP Address Adding New Hosts from /etc/hosts Name fieldHost Name and IP Address To add new hosts from /etc/hostsAdding New Hosts from a File Rules for Host Lists FilesOpen Dialog To add new hosts from a fileModifying a Host To modify a host entryDeleting Hosts To delete a host entryTo enable or disable an agent host for monitoring Enabling and Disabling HostsManaging Tags Add, modify or delete tags To add a tagTo edit a tag To delete a tagMaintaining Host Files Saving the Host List in the Current FileSaving the Host List in a Different File Using an Alternate Host List File Using Multiple Host FilesMaintaining Host Files Chapter Network Node Screen 100 Network Node Screen Opening a Network Node ScreenClosing a Network Node Screen To display the Network Node screen for an agent hostAlerts Tab 102HP-UX Hids Alerts What They Mean, What to Do Errors Tab HP-UX Hids Errors What They Mean, What to Do104 General Operations Selecting EntriesSelecting with the Mouse Simple VersionSearching for the Next Unseen Entry Searching for a StringFind Dialog To delete one or more alerts or errors Deleting an EntryMarking Entries as Seen or Unseen To search againUnseen 108Saving a Log File Set Network Node screen from the System Manager screenSaving the Current Log File Set Saving a New Log File SetSave Dialog Box Press Ctrl-AExample Creating a New File Set Example Saving the File Set over Another File SetOpening a Log File Set Log File RotationOpen Dialog Box 112 Preferences Screen 114 Preferences Screen Option Default Description General PreferencesTo choosing Actions Status Poll from the System Manager 116Actions Resync from the System Manager screen Column Name Default Description Browser PreferencesAlert Events Preferences 118Error Events Preferences Column Default Description NameSystem Manager Subtab 120Templates and Alerts Alerts LimitationsProperty Types TemplatesAlert Summary Table A-1 Detection TemplatesAttack Detected Alert Alert Severity Detection Template 124 Appendix a 125 Unix Regular Expressions Examples126 Appendix a 127 Limitations 128Template Property Types Type I Pathnames to Not MonitorType II Pathnames/Programs Pairs 130Type III UIDs Type IV UID PairsType V Network Triplets Type VI Time Strings132 Type VII Flags Type Viii ScalarsBuffer Overflow Template 134Name Type Default Value Execute on StackTable A-2 Template Properties Table A-3 Execute on Stack Alert Properties136 Unusual Argument Length Table A-4 Unusual Argument Length Alert PropertiesArgument with Non-printable Character 138Appendix a 139 140 Race Condition Template Table A-6 Template PropertiesFile Reference Modification Table A-7 File Reference Modification Alert Properties142 Appendix a 143 Privileged Setuid Script Executed Table A-8 Setuid Script Executed Alert Properties144 Appendix a 145 Modification of Files/Directories Template Table A-9 Template Properties146 Properties 148 File Being Modified Table A-10 File Being Modified Alert Properties150 Appendix a 151 Changes to Log File Template Table A-11 Template Properties152 Append-Only File Being Modified Table A-12 Append-Only File Being Modified Alert Properties154 Creation of Setuid File Template Table A-13 Template PropertiesAlerts generated By this templateSetuid File Created Table A-14 Setuid File Created Alert Properties156 Appendix a 157 Creation of World-Writable File Template Table A-15 Template Properties158 World-Writable File Created Table A-16 World-writable File Created Alert Properties160 Appendix a 161 162 Modification of Another User’s File Template Table A-17 Template PropertiesNon-owned File Being Modified Table A-18 Non-owned File Being Modified Alert Properties164 Appendix a 165 Limitations 166 Login/Logout Template Table A-19 Template Properties168 Login/Logout Table A-20 Login/Logout Alert PropertiesSuccessful su Detected Table A-21 Successful su Detected Alert Properties170 Appendix a 171 172 Repeated Failed Logins Template Table A-22 Template PropertiesTemplate How this template Failed Login Attempts Table A-23 Failed Login Attempts Alert Properties174 Appendix a 175 Repeated Failed su Commands Template Repeated Failed su AttemptsTable A-24 Template Properties Table A-25 Repeated Failed Su Attempts Alert PropertiesAppendix a 177 Template Configuration Syntax 178Appendix a 179 180 Automated Response 182 General Guidelines Response Methods184 How Automated Response Works in HP-UX Hids Alert ProcessSecurity checks Programming NotesTable B-1 Additional Arguments Passed to Response Programs 186Appendix B 187 Table B-3 Environment Variables Set for Response Programs Name Value Description188 Appendix B 189 Programming Guidelines Writing Perl vs. Shell Response ScriptsWriting Privileged Response Programs 190Solution a Code ExamplesCode for scriptA.sh Solution B Code for privA programCode for PrivB program 192Solution C Code for privC program Code for scriptC.sh script #!/usr/bin/sh194 Sample Response Programs Sample C Language Program Source CodeSample Shell Script Alert Responses Forwarding Information 196Appendix B 197 Halting any further attacks 198Appendix B 199 Preservation of evidence 200Appendix B 201 Restoration of a known good state 202OVO Enablement in HP-UX Hids HP OpenView Operations Smart Plug-In204 Idsagent Command 206 Idsagent Command Synopsis OptionsExample 208Idsadmin Command 210 Idsadmin Command Synopsis Startup OptionsCommands 212Agent Configuration File 214 Agent Configuration File Forcing Active Agent to Reread Configuration FileName Default Value Global ConfigurationTable E-1 Global Configuration Variables 216Data Source Process Configuration Kernel Audit Data DSPTable E-2 DSP idskernDSP Parameters218 Remote Communication Configuration Table E-3Correlator Configuration Variables 220 Messages 222 Agent Messages Idsagent failed to reopen stderr in append mode Idsagent internal error in handling signature groupsIdsagent failed to initialize configuration module Idsagent failed to start groupIdsagent unable to setup Sigchld signal handler Idsagent unable to setup Sighup signal handlerIdsagent unable to setup signal handler Idsagent unable to setup Sigsegv signal handlerIdsagent error trying to shutdown a process Idsagent failed to allocate memoryIdsagent failed to create schedule path filename Idsagent failed to execute correlator corrIdsagent internal error no correlator in PMStartProcesses Idsagent internal error occurred in PMStopGroupIdsagent failed to initialize schedule Idsagent failed to initialize schedule in crontabIdsagent not enough disk space to create schedule Idsagent not enough disk space to parse scheduleIdsagent not enough disk space to save config file Idsagent out of process table spaceInternal error Internal error unknown stateUnable to open the response script directory dir System Manager Messages Exception while opening file filename File Save Error Incomplete or Invalid Entry Data Entry ErrorInvalid Host State Unable to disable host Invalid Property Value value Property Value ErrorNo more instances of searchstring found Find Error Only one property may be edited at a time Selection ErrorSearchstring not found Find Error Select Property to be edited Selection ErrorSelect Surveillance Group Name to delete Selection Error Select Surveillance Group to copy Selection ErrorSelect Surveillance Schedule to copy Selection Error Select Surveillance Schedule to delete Selection ErrorSurveillance Schedule not selected Schedule Selection Error Following hosts are in an invalid state for this commandUnable to Overwrite filename File Save Error 234Unknown Host unable to resolve IP Address IPaddress Unknown IP Address unable to resolve Host Name236 Troubleshooting 238 Appendix G 239 Troubleshooting Agent and System Manager cannot communicate with each other240 Agent does not start on system boot $ /usr/sbin/kmtune -q enableiddsAgent needs further troubleshooting To clean up the IDS message queuesAgent host appears to hang and/or you see message disk full 242Agent does not start after installation Agents appear to be stuck in polling statusAlert date/time sort seems inconsistent Alerts are not being displayed in the alert browserIdsadmin needs installed agent certificates Buffer overflow triggers false positivesDuplicate alerts appear in System Manager 244IDScheckInstall fails with a kmtune error IDSgenAdminKeys or idsgui quits earlyLarge files in /var/opt/ids Log files are filling upNo Agent Available 246SSH does not perform a clean exit after idsgent is started Schedule Manager timetable screen appears to hangSystem Manager appears to hang System Manager does not start after idsgui is started248 Using HP-UX Hids with IPFilter and SecureShell Unknown program and arguments in certain alert messagesIPFilter rules for HP-UX Hids How to allow the SecureShell daemon to forward X11 traffic 250Appendix G 251 252 HP Software License Appendix H 253OpenSSL License 254Original SSLeay License Appendix H 255256 HP Software License Terms 258
Related manuals
Manual 55 pages 31.55 Kb Manual 20 pages 7.92 Kb
Top Page Image Contents