Successful su Detected | HP Host Intrusion Detection System (HIDS)

Templates and Alerts

Login/Logout Template

	Table A-20	Login/Logout Alert Properties (Continued)

	Response	Alert	Alert
	Program	Alert	Field	Alert Value/Format	Description
	Program	Field	Field	Alert Value/Format	Description
	Argument	Field	Type
	Argument		Type

	argv[10]	Flag	Integer	1	Indicates a
					login/logout alert
					versus an su alert.

	argv[11]	User	String	<username>	Name of user that
					logged in or logged
					out.

	argv[12]	Device	String	<pty device name>	Name of pty
					device associated
					with login session.

	argv[13]	Hostname	String	<remote hostname>	Name of remote
					host from which
					login was
					initiated.

	argv[14]	IP	String	<A.B.C.D> for IPv4 addresses	IP address of
		Address		"A:B:C:D:..." for IPv6 addresses	remote host from
					which login was
					initiated.

Successful su Detected

This template generates and forwards the following alerts to a response program when a successful switch user (su) command is executed:

Table A-21		Successful su Detected Alert Properties

	Response	Alert	Alert
	Program	Alert	Field	Alert Value/Format	Description
	Program	Field	Field	Alert Value/Format	Description
	Argument	Field	Type
	Argument		Type

	argv[1]	Template	Integer	7	Unique code
		code			assigned to
					template

	argv[2]	Version	Integer	2	Version of the
					template

	argv[3]	Severity	Integer	2 for user root or ids; 3 for all other users	Severity

	argv[4]	UTC Time	Integer	<secs>	UTC time in
					number of
					seconds since
					epoch when a
					successful su
					event occurs.

170	Appendix A

Image 182

HP Host Intrusion Detection System (HIDS) manual Table A-21 Successful su Detected Alert Properties, 170

Contents

Manufacturing Part Number J5083-90013 December HP-UX Host Intrusion Detection System Administrator’s GuideEdition Warranty Government License Trademarks Iii Conventions Contents System Manager Screen Schedule Manager Screen Vii Host Manager ScreenNetwork Node Screen Viii Preferences ScreenTemplates and Alerts Automated Response Idsagent CommandIdsadmin Command Agent Conﬁguration File HP Software License TroubleshootingMessages Original SSLeay License HP Software License Terms Xii Overview Summary Documentation Loss of Intellectual Property Why Do You Need Intrusion Detection?Loss of Financial Assets Loss of Computing Resources Misplaced Trust Who Are the Perpetrators?How Are These Threats Realized? Malicious Code Being Used as a Springboard to Attack the Next Victim Why Existing Tools Are Only Part of the SolutionExcessive Privilege for Simple Tasks Firewalls Encryption Security Auditing Tools Where Does Intrusion Detection Fit In? What Is Intrusion Detection? What HP-UX Hids Does What HP-UX Hids Does Not Do HP-UX Hids Components Graphic Representation How the Components Interact to Detect Intrusions HP-UX Hids Components Surveillance Groups HP-UX Hids Secure CommunicationsDetection Templates Surveillance Schedules Glossary of HP-UX Hids Terms Kernel Intrusion Detection DataIntrusion Detection System Node Vulnerability System ManagerVirus Glossary of HP-UX Hids Terms Chapter Conﬁguration Conﬁguration Optional IntroductionRequired Script to Use Where Used End Product Setting Up the HP-UX Hids Secure CommunicationsOverview of Procedures to Set Up Secure Communications Create the X.509 Certiﬁcates $ IDSgenAdminKeys install $ IDSgenAgentCerts TIP Transport the Certiﬁcates Install the Keys on Each Host $ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadmin Conﬁguring a Multihomed Agent System Step Example $ nslookup large2 Conﬁguring a Multihomed Administration System To conﬁgure a multihomed administration system Edit the agent conﬁguration ﬁle for example Conﬁguring a Loopback System To conﬁgure a loopback system Working with Firewalls Conﬁguring PortsWorking with NIS To change the value of maxthreadproc Enabling Large Numbers of AgentsEnabling Over 23 Agents Thread Limits Select Kernel Conﬁguration Select Conﬁgurable Parameters Enabling Over 20 Inbound Requests To view and change the value of tcpconnrequestmax Runtime File Permissions Accessing ManpagesRestricting Permissions Files Permissions Accessing Manpages Chapter Getting Started Getting Started Agents System Manager Set up hosts and run schedules Starting HP-UX Hids for the First Time See , Host Manager Screen, on Host Manager Operations ScreensSchedule Manager Network Node Searching Entries Basic Screen ActionsSelecting Entries in Lists Sorting Entries Basic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen To start the HP-UX Hids System Manager Starting the HP-UX Hids System ManagerStopping the HP-UX Hids System Manager To stop the HP-UX Hids System Manager Status Value Description On the System Manager ScreenStatus Field Values On the System Manager screen Getting the Status of Agent HostsTo get the status of agent hosts Resynchronizing Agent Hosts To resynchronize agent hosts Choose the Actions Activate Schedule menu item Activating a Schedule on Agent HostsTo activate a surveillance schedule on agent hosts Stopping Schedules on Agent Hosts To stop a surveillance schedule on agent hosts Starting HP-UX Hids Agents To start the agent To halt the agent locally on the agent host Halting HP-UX Hids AgentsTo halt agents remotely from the System Manager Go to Host Manager Screen Accessing Other ScreensGo to Schedule Manager Screen To go to the Schedule Manager screen Return to System Manager Screen Go to Network Node ScreenGo to Preferences Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager Creating a Surveillance Schedule To create a surveillance schedule To display the Schedule Manager screen Displaying the Schedule Manager ScreenClosing the Schedule Manager Screen To close the Schedule Manager screen Copying a Surveillance Schedule Conﬁguring Surveillance SchedulesCreating a New Surveillance Schedule To create a new surveillance schedule Modifying a Surveillance Schedule To modify a surveillance schedule Choose File Save Selected Schedule As Renaming a Surveillance ScheduleTo rename a surveillance schedule To delete a surveillance schedule Deleting a Surveillance ScheduleUndoing and Redoing Changes Choose File Save Selected Schedule Saving a Surveillance ScheduleTo save a surveillance schedule Copying a Surveillance Group Conﬁguring Surveillance GroupsCreating a New Surveillance Group To create a new surveillance group Modifying a Surveillance Group To modify a surveillance group To rename a surveillance group Renaming a Surveillance GroupRename Surveillance Group Dialog To delete a surveillance group Deleting a Surveillance GroupSaving a Surveillance Group To change the value of a property in a detection template Conﬁguring Detection TemplatesModifying a Property Value In a Template Edit List Dialog To add a new value Suggested Best Practices 11Edit Dialog Edit Some Template Conﬁguration Guidelines Setting Surveillance Schedule Timetables Specifying When a Schedule Will Run To specify when a schedule will run Canceling Changes See Saving a Surveillance Schedule on Refreshing the Details Display Viewing Surveillance Schedule DetailsViewing the Source of a Surveillance Schedule To view the source of a surveillance schedule Save Dialog Clearing the Details DisplaySaving the Details Display To clear the display Predeﬁned Surveillance Schedules and Groups Predeﬁned Surveillance Schedules Predeﬁned Surveillance Schedules Host Manager Screen Host Manager Screen Managing Hosts Displaying the Host Manager Screen Closing the Host Manager Screen Add Host Dialog Adding New HostsAdding a New Host Manually To add a new host manually IP Address Host NameAddress ﬁeld Host Name and IP Address Adding New Hosts from /etc/hostsName ﬁeld To add new hosts from /etc/hosts Open Dialog Adding New Hosts from a FileRules for Host Lists Files To add new hosts from a ﬁle Modifying a Host To modify a host entry Deleting Hosts To delete a host entry To enable or disable an agent host for monitoring Enabling and Disabling Hosts Managing Tags Add, modify or delete tags To add a tag To edit a tag To delete a tag Saving the Host List in a Different File Maintaining Host FilesSaving the Host List in the Current File Using an Alternate Host List File Using Multiple Host Files Maintaining Host Files Chapter Network Node Screen 100 Closing a Network Node Screen Network Node ScreenOpening a Network Node Screen To display the Network Node screen for an agent host Alerts Tab 102 HP-UX Hids Alerts What They Mean, What to Do 104 Errors TabHP-UX Hids Errors What They Mean, What to Do Selecting with the Mouse General OperationsSelecting Entries Simple Version Find Dialog Searching for the Next Unseen EntrySearching for a String Marking Entries as Seen or Unseen To delete one or more alerts or errorsDeleting an Entry To search again Unseen 108 Saving the Current Log File Set Saving a Log File SetNetwork Node screen from the System Manager screen Saving a New Log File Set Example Creating a New File Set Save Dialog BoxPress Ctrl-A Example Saving the File Set over Another File Set Open Dialog Box Opening a Log File SetLog File Rotation 112 Preferences Screen 114 Preferences Screen To choosing Actions Status Poll from the System Manager Option Default DescriptionGeneral Preferences 116 Actions Resync from the System Manager screen Alert Events Preferences Column Name Default DescriptionBrowser Preferences 118 Error Events Preferences Column Default Description Name System Manager Subtab 120 Templates and Alerts Property Types AlertsLimitations Templates Attack Detected Alert Alert Severity Detection Template Alert SummaryTable A-1 Detection Templates 124 Appendix a 125 126 Unix Regular ExpressionsExamples Appendix a 127 Limitations 128 Template Property Types Type I Pathnames to Not Monitor Type II Pathnames/Programs Pairs 130 Type III UIDs Type IV UID Pairs 132 Type V Network TripletsType VI Time Strings Type VII Flags Type Viii Scalars Buffer Overﬂow Template 134 Table A-2 Template Properties Name Type Default ValueExecute on Stack Table A-3 Execute on Stack Alert Properties 136 Unusual Argument Length Table A-4 Unusual Argument Length Alert Properties Argument with Non-printable Character 138 Appendix a 139 140 Race Condition Template Table A-6 Template Properties 142 File Reference ModiﬁcationTable A-7 File Reference Modiﬁcation Alert Properties Appendix a 143 144 Privileged Setuid Script ExecutedTable A-8 Setuid Script Executed Alert Properties Appendix a 145 146 Modiﬁcation of Files/Directories TemplateTable A-9 Template Properties Properties 148 File Being Modiﬁed Table A-10 File Being Modiﬁed Alert Properties 150 Appendix a 151 152 Changes to Log File TemplateTable A-11 Template Properties Append-Only File Being Modiﬁed Table A-12 Append-Only File Being Modiﬁed Alert Properties 154 Alerts generated Creation of Setuid File TemplateTable A-13 Template Properties By this template 156 Setuid File CreatedTable A-14 Setuid File Created Alert Properties Appendix a 157 158 Creation of World-Writable File TemplateTable A-15 Template Properties World-Writable File Created Table A-16 World-writable File Created Alert Properties 160 Appendix a 161 162 Modiﬁcation of Another User’s File Template Table A-17 Template Properties 164 Non-owned File Being ModiﬁedTable A-18 Non-owned File Being Modiﬁed Alert Properties Appendix a 165 Limitations 166 Login/Logout Template Table A-19 Template Properties 168 Login/Logout Table A-20 Login/Logout Alert Properties 170 Successful su DetectedTable A-21 Successful su Detected Alert Properties Appendix a 171 172 Template How this template Repeated Failed Logins TemplateTable A-22 Template Properties 174 Failed Login AttemptsTable A-23 Failed Login Attempts Alert Properties Appendix a 175 Table A-24 Template Properties Repeated Failed su Commands TemplateRepeated Failed su Attempts Table A-25 Repeated Failed Su Attempts Alert Properties Appendix a 177 Template Conﬁguration Syntax 178 Appendix a 179 180 Automated Response 182 General Guidelines Response Methods 184 Security checks How Automated Response Works in HP-UX HidsAlert Process Programming Notes Table B-1 Additional Arguments Passed to Response Programs 186 Appendix B 187 188 Table B-3 Environment Variables Set for Response ProgramsName Value Description Appendix B 189 Writing Privileged Response Programs Programming GuidelinesWriting Perl vs. Shell Response Scripts 190 Code for scriptA.sh Solution aCode Examples Code for PrivB program Solution BCode for privA program 192 Solution C 194 Code for privC programCode for scriptC.sh script #!/usr/bin/sh Sample Shell Script Alert Responses Sample Response ProgramsSample C Language Program Source Code Forwarding Information 196 Appendix B 197 Halting any further attacks 198 Appendix B 199 Preservation of evidence 200 Appendix B 201 Restoration of a known good state 202 OVO Enablement in HP-UX Hids HP OpenView Operations Smart Plug-In 204 Idsagent Command 206 Idsagent Command Synopsis Options Example 208 Idsadmin Command 210 Idsadmin Command Synopsis Startup Options Commands 212 Agent Conﬁguration File 214 Agent Conﬁguration File Forcing Active Agent to Reread Conﬁguration File Table E-1 Global Conﬁguration Variables Name Default ValueGlobal Conﬁguration 216 Table E-2 Data Source Process ConﬁgurationKernel Audit Data DSP DSP idskernDSP Parameters 218 Correlator Conﬁguration Variables Remote Communication ConﬁgurationTable E-3 220 Messages 222 Agent Messages Idsagent failed to initialize conﬁguration module Idsagent failed to reopen stderr in append modeIdsagent internal error in handling signature groups Idsagent failed to start group Idsagent unable to setup signal handler Idsagent unable to setup Sigchld signal handlerIdsagent unable to setup Sighup signal handler Idsagent unable to setup Sigsegv signal handler Idsagent failed to create schedule path ﬁlename Idsagent error trying to shutdown a processIdsagent failed to allocate memory Idsagent failed to execute correlator corr Idsagent failed to initialize schedule Idsagent internal error no correlator in PMStartProcessesIdsagent internal error occurred in PMStopGroup Idsagent failed to initialize schedule in crontab Idsagent not enough disk space to save conﬁg ﬁle Idsagent not enough disk space to create scheduleIdsagent not enough disk space to parse schedule Idsagent out of process table space Unable to open the response script directory dir Internal errorInternal error unknown state System Manager Messages Invalid Host State Unable to disable host Exception while opening ﬁle filename File Save ErrorIncomplete or Invalid Entry Data Entry Error Invalid Property Value value Property Value Error Searchstring not found Find Error No more instances of searchstring found Find ErrorOnly one property may be edited at a time Selection Error Select Property to be edited Selection Error Select Surveillance Schedule to copy Selection Error Select Surveillance Group Name to delete Selection ErrorSelect Surveillance Group to copy Selection Error Select Surveillance Schedule to delete Selection Error Unable to Overwrite filename File Save Error Surveillance Schedule not selected Schedule Selection ErrorFollowing hosts are in an invalid state for this command 234 Unknown Host unable to resolve IP Address IPaddress Unknown IP Address unable to resolve Host Name 236 Troubleshooting 238 Appendix G 239 240 TroubleshootingAgent and System Manager cannot communicate with each other Agent does not start on system boot $ /usr/sbin/kmtune -q enableidds Agent host appears to hang and/or you see message disk full Agent needs further troubleshootingTo clean up the IDS message queues 242 Alert date/time sort seems inconsistent Agent does not start after installationAgents appear to be stuck in polling status Alerts are not being displayed in the alert browser Duplicate alerts appear in System Manager Idsadmin needs installed agent certiﬁcatesBuffer overﬂow triggers false positives 244 IDScheckInstall fails with a kmtune error IDSgenAdminKeys or idsgui quits early No Agent Available Large ﬁles in /var/opt/idsLog ﬁles are ﬁlling up 246 SSH does not perform a clean exit after idsgent is started Schedule Manager timetable screen appears to hang 248 System Manager appears to hangSystem Manager does not start after idsgui is started IPFilter rules for HP-UX Hids Using HP-UX Hids with IPFilter and SecureShellUnknown program and arguments in certain alert messages How to allow the SecureShell daemon to forward X11 trafﬁc 250 Appendix G 251 252 HP Software License Appendix H 253 OpenSSL License 254 Original SSLeay License Appendix H 255 256 HP Software License Terms 258