Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide: HP-UX 11i v1, HP-UX 11i v2 and HP-UX 11i v3 > Appendix A Templates and Alerts

Template Property Types
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

A template property has one of the following types:

For a description about the syntax to use to specify values for various template types, see “Template Property Syntax”.

Type I: Path Names to [Not] Monitor

The pathnames_to_watch and pathnames_to_not_watch template properties are of Type I. Type I is a list of n, with n>0, regular expressions that are separated by the pipe (|) character. A file or directory is [not] monitored if its full path name matches a regular expression in the pathnames_to_[not]_watch template property.

NOTE: If a file or directory path name matches a regular expression in both the pathnames_to_watch and pathnames_to_not_watch property, then the file or the directory is not monitored.

The following line in the template configuration file defines a property called pathnames_to_not_watch, so that the /var/log/cron and /etc/passwd files are not monitored for alerts:

pathnames-to_not_watch | ^/var/log/cron$ | ^/etc/passwd$
NOTE: When specifying the template property value in the Schedule Manager window, enter only the template property value ^/var/log/cron$ │ ^/etc/passwd$. Do not enter the property name and the first pipe character.

When specifying values for this property, be aware of path names that contain symbolic links. For example, to monitor the csh executable, specify the complete path name /usr/bin/csh, assuming that /bin is a symbolic link to /usr/bin. HIDS attempts to match using fully resolved path names.

Use the regular expression anchor characters ^ and $ to denote the start and end of the file path name.

The following line defines a property named pathnames_to_watch that specifies monitoring all files or directories with starting path name /var/t substring or the path names that start with the /opt string:

pathnames_to_watch | /var/t.* | ^/opt

For examples of regular expressions, see “UNIX Regular Expressions ”.

Type II: Path Names/Programs Pairs

These property types enable users to specify combinations of file path names and program path names. As a result, alerts that are normally generated for files specified in the pathnames-to-be-monitored property are suppressed when the files are modified by specified programs.

Path names and programs are specified as regular expressions the same as pathnames_to_[not]_watch properties are specified. See the default property settings for the kernel templates for examples of path names and program pair specifications.

Path names and program properties come in pairs. There can be n > 0 pairs in a configuration file. For each member of a pair, its property values consist of a set of m > 0 lists. For the path name member of a pair, each property value consists of a list of p > 0 regular expressions separated by ampersand (&) characters. For the corresponding program member of a pair, each property value is a list of q > 0 regular expressions as its value. In general, p is not equal to q. Following is an example of a valid property pair: 

pathnames_1 | f1 & f2 | f3 & f4 & f5 | f6 programs_1 | 
p1 & p2 & p3 | p3 & p4 | p5

With these two lines, an alert is not generated for file f1 if the event was triggered by any of the p1, p2, or p3 programs. Similarly, f2 is not monitored if the event was triggered by p1, p2,or p3. Analogously, an alert is suppressed for f3, f4, and f5 if the alert is triggered by program p3 or p4.

NOTE: The pathnames_0/programs_0 pair is a special case in which alerts for files specified in pathnames_0 are not generated when the corresponding programs in programs_0 or in any of the program’s child processes or grandchild processes trigger the alert. For example, for the Modification of Files/Directories template, if pathnames_0 contains ^/opt/to specify the /opt directory and programs_0 contains/usr/sbin/swinstall, then alerts normally generated for modifications to files under /opt are suppressed when the files are modified by either swinstall, any of its child processes (such as control scripts) or grandchild processes (such as commands invoked in a control script).

  • The following set of two lines:

    pathnames_1 | f1 & f2 
programs_1 | p1 & p2 & p3

    Is equivalent to the following set of four lines:

    pathnames_1 | f1 
programs_1 | 
pathnames_2
programs_2 p1 & p2 & p3

    Or to the following set of six lines:

    pathnames_1 | f1 & f2
programs_1  | p1
pathnames_2 |  f1 & f2
programs_2  |  p2 
pathnames_3 | f1 & f2
programs_3  | p3

  • However, it is not equal to the following lines:

    pathnames_1 | f1
programs_1  | p1 & p2 & p3
pathnames_2 | f2
programs_2  | p1 & p3

This provides granularity for specifying their file- monitoring dependencies. That is, in the last example an alert for f2 is generated if the event was triggered by p2, in contrast to what happens when any of the three previous examples are used.

IMPORTANT: Specifying a program’s relative path name to ignore alerts is unsafe, whether the path name refers to a script or an executable program. An attacker can construct an attack script or program with the same relative path name, and alerts for that program are filtered if the relative path name is specified as the value in a path names / program pair.
NOTE: To filter alerts triggered by scripts that are invoked in one of the following ways, the pathname of the script itself and not the shell should be specified in a programs_X property:
<shell> <script pathname>
<shell> -c <script pathname>
<shell> -c exec <script pathname>

For example, to filter the following alert:

User with uid 0 opened for modification/truncation
/etc/passwd (type=1,inode=5416,device=1073741827) when 
executing 
/usr/bin/sh(type=1,inode=13748,device=1073741829), invoked
 as follows:
"sh -c /usr/local/bin/change_passwd.sh", as process with pid 28379 
and ppid 28300 and running with effective uid=0 and with 
effective gid=3

the following filter rules should be used:

pathnames_X | ^/etc/passwd$
programs_X | ^/usr/local/bin/change_passwd\.sh$

HIDS treats the first string of the program invocation as the pathname of the program that triggered the alert. However, if the string is a pathname of a valid shell as defined by shells(4), it filters based on the script pathname.

Type III: User Names/UIDs

Type III property values consists of lists of user names or user IDs that specify critical users or users that the template is to explicitly take into account (type IIIa) or explicitly ignore (type IIIb). The following template property specifies three critical user IDs and three user names that determine the severity of an alert:

priv_user_list | 22 | 1 | 43
 priv_user_list | root | bin | daemon

The following template property specifies that alerts are not generated if the following three user IDs or user names are encountered:

users_to_ignore | 21 | 3 | 53
 users_to_ignore | root | bin | daemon

Type IV: User Name/UID Pairs

Type IV property values include pairs of user names or user IDs. This property type is currently used only in the Modification of Another User’s File Template. The two members of each pair are separated by a comma. When an event is received for a file that is being monitored, the following criteria are applied for every pair in the list:

  • The effective user ID of the process modifying the file corresponds to the first member of the pair.

  • The owner of the file corresponds to the second member of the file.

If both of these conditions are met, no alert is issued.

Following is an example of this type of property value:

user_pairs_to_ignore | root, daemon | 0, bin | root, 3 | 
0, 4

In this example, an alert is not triggered if any of the following conditions are met:

- If the file owner’s name is root and the effective user ID of the modifying process corresponds to the user name daemon.

- If the file owner’s user ID is 0 and the effective user ID of the modifying process corresponds to the user name bin.

- If the file owner’s user ID corresponds to the user name root and the effective user ID of the modifying process is 3.

- If the file owner’s user ID is 0 and the effective user ID of the modifying process is 4.

Type V: Network Triplets

Type V property values include network information triplets. The members of a triplet are as follows:

  • IP Address: An IP address. For IPv4, the address must be in standard dot notation; for IPv6, in colon notation.

  • Network Mask: The network mask value qualifies the value in the IP address field to an individual host address or a network address. A value of 255.255.255.255 means the value in the IP address field is an individual host address; otherwise, it is a network address. The network mask follows the notational requirements for IP addresses.

  • Severity Code: An integer representing a severity level (0=no alert, 1 = critical, 2 = severe, 3 = moderate), where a severity level of 0 specifies that no alert is generated for a matching {IP address, Network Mask, 0} triplet.

The following template configuration illustrates a Type V property value:

ip_filters | 192.168.0.2, 255.255.255.0, 0 |

Where:

192.168.0.2

network address

255.255.255.0

network mask for a network address

0

no alerts are generated for hosts in the specified network

Type VI: Time Strings

The time strings property represents time intervals. Each time string has the following syntax:

integer[units]

The integer component is a positive integer representing a time interval. The units component, when present, indicates the time units the integer is expressed in. The following units are supported:

s

Seconds

m

Minutes

h

Hours

d

Days

w

Weeks

When the unit component is not present, the integer component is assumed to be in seconds. For example, the following lines in the template configuration file contain time strings representing values of 23 seconds, 10 minutes, 1 hour and 23 seconds; the s component in the last line is redundant, but can be used for clarity.

fail_interval | 23warning_interval | 10mfail_interval | 
1hwarning_interval | 23s
NOTE: You cannot specify the time unit value in the Schedule Manager screen.

Type VII: Flags

The Type VII property value is an integer used to enable or disable a flag. A value of 1 means enabled, and a value of 0 means disabled. For example, the following properties of the Login/Logout template specify that the monitoring of logins is enabled, and the monitoring of successful su commands is disabled:

monitor_login_flag | 1
monitor_su_flag | 0

Type VIII: Scalars

The Type VIII property value is a single integer. However, this value can be any integer. For example, the following property of the Buffer Overflow template specifies that 500 is considered an unusually long argument length when invoking a priviledged setuid program:

unusual_arg_len |  500

Type IX: Path Names / Integer Pairs

The Type IX property specifies pairs of path names and integers. In each pair, the two members are separated by a comma and pairs are separated by a pipe. The path name is interpreted as regular expressions and extended regular expressions. For more information on regular expressions, see “UNIX Regular Expressions ”. The integer is interpreted to be of type Type VI: Time Strings.

Currently, only the global alert aggregation tuples property is of this type. For more information, see “Surveillance Schedule Text File”.



Limitations
  		 


Buffer Overflow Template  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.