Login/Logout Template

The vulnerability addressed by this template

Certain privileged user accounts (such as adm, bin, sys) are intended to be used by system programs only for maintenance purposes. If these user accounts are enabled, and an attacker has compromised one of these user account passwords, the system is vulnerable to being compromised by an attacker either logging in to the system as a privileged user or running the su command to assume the identity of a privileged user.

How this template addresses the vulnerability

The Login/Logout template monitors the start and end of interactive user sessions. Specifically, this template monitors sulog, wtmp on HP-UX 11i v1, and wtmps on HP-UX 11i v2 and HP-UX 11i v3 for the following:

Successful remote logins with utmp records are logged in utmp
Logouts
Successful su commands to switch to another user name

How this template is configured

You can configure this template to monitor only logins, only logouts, or only su attempts, to monitor all of them, or to monitor a subset of them. For example, logins and su but not logouts.

You can configure the Login/Logout template to generate an alert if someone begins an interactive session using a privileged user account, such as adm, bin, sys, root, or ids, and to ignore all other users.

You can also configure the template to ignore logins and logouts by a small set of users who are expected to be on the system during certain time periods, and to generate alerts for all other users. For example, on a database server, only the user dbmaint is expected to log in during a specified maintenance period. No other users are expected to be using the system during that period. The template can be configured to generate an alert at the start and end of remote connections by all users during the maintenance period except for the dbmaint user.

Table A-19 Login/Logout Template Properties

Property	Type	Default Value
`users_to_ignore`	III	<empty>
`users_to_monitor`	III	<empty>
`monitor_su_flag`	VII	1
`monitor_login_flag`	VII	1
`monitor_logout_flag`	VII	1
`ip_filters`	V	<empty>
`priv_user_list`	III	root \| ids




	NOTE: `The users_to_monitor` property takes precedence over `users_to_ignore` when both lists are set. If `users_to_monitor` is not empty, values in `users_to_ignore` are ignored.

The configurable properties are listed as follows:

users_to_ignore: Users in this list allow those users to log in, log out and su without generating an alert.
users_to_monitor: Alerts are generated when users with a user ID or user name in this list log in, log out or use the su command if the corresponding monitor_*_flag is set to 1.
monitor_su_flag: When set to 1, the template monitors successful su attempts to users specified in users_to_monitor or, if users_to_monitor is empty, by users not listed in users_to_ignore.
monitor_login_flag: When set to 1, the template monitors successful logins to users specified in users_to_monitor or, if users_to_monitor is empty, by users not listed in users_to_ignore.
monitor_logout_flag: When set to 1, the template monitors successful logouts by users specified in users_to_monitor or, if users_to_monitor is empty, by users not listed in users_to_ignore.
ip_filters: Contains a list of triplets {ip_address, mask,severity}.Filters login alerts and determines the alert’s severity based on which remote host or network the login was made from. If a login’s remote host IP address matches one of the triplet’s IP addresses qualified by the triplet’s network mask, then the alert severity is set to the corresponding triplet’s severity. A severity level of 0 indicates that an alert for a login event with a matching remote IP address is filtered except for root and ids users. If a login event’s remote host IP address does not match any triplet, then a severe alert (severity=2) is generated for root and ids users and a moderate alert (severity=3) is generated for all other users. The value of the mask must be set to 255.255.255.255 if the ip_address is a host address; otherwise, the mask must be set to the network mask to qualify the value in ip_address as a network address. Host address filtering is only applied to those login events that are not filtered out by the users_to_ignore and users_to_monitor template properties.
priv_user_list: A high severity alert is generated when a user with a user ID or user name in this list logs in or logs out.

Alerts generated by this template

See “Login/Logout” and “Successful su Detected” for more information about the alerts generated by the Login/Logout template.

Login/Logout

Table A-20 lists the alert properties the Login/Logout template generates and forwards to a response program when a successful login or logout occurs.

Table A-20 Login/Logout Alert Properties

Response Program Argument Alert Field Alert Field Type Alert Value/Format Description

argv[1] Template code Integer 7 Unique code assigned to template

argv[2] Version Integer 3 Template version

argv[3] Severity Integer 2 for users listed in the priv_user_list property, and 1 if specified by an ip filter property. Alert severity

argv[4] UTC Time Integer <secs> UTC time in number of seconds since the epoch when a successful login, logout, or su event occured.

argv[5] Attacker String <fully qualified host name> <IP address> Name or IP address of the host from which the user attempted to log in.

argv[6] Target String <username> Login name that the user attempted to log in as.

argv[7] Summary String Start of a successful login session or end of a login session Alert summary

argv[8] Details String User <username> logged-in on <pty> (REMOTE: <fully qualified host name> <IP address>)orUser <username> logged-out from a session on <pty> Detailed alert description

argv[9]

Event

String

Following are the possible values:

Login
Logout

The event that triggered the alert.

argv[10] Flag Integer 1 Indicates a login/logout alert versus an su alert

argv[11] User String <username> Name of user that logged in or logged out

argv[12] Device String <pty device name> Name of pty device associated with login session

argv[13] Hostname String <remote hostname> Name of remote host from which login was initiated

argv[14]

IP Address

String

<A.B.C.D> for IPv4 addresses <A:B:C:D:...> for IPv6 addresses




	NOTE: Although HIDS is not supported on IPv6–only enabled systems, the login/logout templates can recognize and display the following types of addresses in the alerts: IPv4 address IPv4–mapped-IPv6 address IPv6 address

IP address of remote host from which login was initiated

Successful su Detected

Table A-21 lists the alert properties this template generates and forwards to a response program when a successful switch user (su) command is executed.

Table A-21 Successful su Detected Alert Properties

Response Program Argument	Alert Field	Alert Field Type	Alert Value/Format	Description
argv[1]	Template code	Integer	7	Unique code assigned to template
argv[2]	Version	Integer	3	Template version
argv[3]	Severity	Integer	2 for users listed in `priv_user_list` property; 3 for all other users	Alert severity
argv[4]	UTC Time	Integer	<`secs`>	UTC time in number of seconds since the epoch when a successful su event occurred.
argv[5]	Attacker	String	`<username>`	Name of the user who is attempting to use the su command,
argv[6]	Target	String	`<username>`	The target user of the su command
argv[7]	Summary	String	Successful su session	Alert summary
argv[8]	Details	String	User <`username_from`> switched to user <`username_to`> on tty <`tty`>	Detailed alert description
argv[9]	Event	String	Switch-user (su)	The event that triggered the alert.
argv[10]	Flag	Integer	2	Indicates an su alert versus a login/logout alert
argv[11]	Device	String	<`tty`>	The tty from which a successful su attempt was made
argv[12]	From	String	<`username`>	The name of the user attempting to use the su command
argv[13]	To	String	<`username`>	The target user of the su command

Limitations

The Login/Logout template has the following limitations:

The template only detects logins and logouts that are logged to wtmp:
- The template does not detect successful secure ftp (sftp) logins and logouts because the ssh daemon logs successful sftp logins and logouts using syslog(3C) instead of logging them to wtmp on HP–UX 11i v1 and wtmps on HP–UX 11i v2 and HP-UX 11i v3.
- The template does not detect secure shell (ssh) logins and logouts by ssh daemons that do not log successful ssh logins and logouts to wtmp on HP–UX 11i v1 and wtmps on HP–UX 11i v2 and HP-UX 11i v3. To enable Secure Shell to log failed logins and logouts to wtmp(s) or btmp(s), you must set the permissions of the wtmp(s) or btmp(s) file to 600.
Because the login name (ut_user in a utmp structure) is not available for a logout event, the template retrieves the login name from the wtmp log. If the log has been cleared, the template creates a logout alert that does not contain the user name, only the device on which the logout occurred.
The template generates alerts for ftp logins without the remote host IP address on 11i V1 unless the wu-ftp 2.6.1 patch is installed.
The host address filtering provided by this template is vulnerable to IP spoofing.
On IPv6 configured machines, alerts do not display the IP address