Schedule Manager Screen
Configuring Detection Templates
Some Template Configuration Guidelines
•The “Race Condition Template” on page 141 imposes the highest overhead in terms of the load it places on correlator process. We recommend that you not include this template in your initial schedule.
NOTE | The race condition template checks, among other things, for the execution of setuid |
| scripts, which are vulnerable to a race condition attack. In |
| and later, the execution of setuid scripts is prevented by default by the |
| secure_sid_scripts tunable kernel parameter. See the secure_sid_scripts (5) |
| manpage for details. |
|
|
•The template “Modification of Files/Directories Template” on page 146 provides for
•The template “Modification of Another User’s File Template” on page 163 will generate many alerts if not tuned well. We recommend that you use the template “Modification of Files/Directories Template” on page 146 in its place.
•When tuning a template, consider what the areas of greatest risk are if the system is penetrated. Obviously, replacing a program in /bin, /sbin or the kernel in /stand is a serious threat. But so is modifying files under /etc or /opt. You may have additional
•What areas can you ignore, or are you willing to tolerate a threat in? For example, many files change under /var/adm, and ignoring that directory is usually safe. But if a symbolic link attack is launched from /var/adm, you will miss it. This is a
•The templates “Repeated Failed Logins Template” on page 173 and “Repeated Failed su Commands Template” on page 176 exact a very low overhead on the system and can be run in any schedule.
•Start with a single template and then see how many alerts you get. Determine if any of these are security events, and if not, modify the template properties to remove the spurious alerts.
•You may find software that is behaving incorrectly, such as writing to /opt (considered a
74 | Chapter 5 |
