 |
» |
|
|
|
Detection templates are the building blocks of surveillance groups. They contain configurable properties that modify template behavior during run time. See Appendix A for more information about HP-UX HIDS detection templates, and how they can be configured. Each detection template is designed to identify a specific type of unauthorized system activity and has configurable parameters. The detection template directs the agent to monitor a security related activity on a host system. For example, a Failed Login detection template checks the number of failed logins within a given time interval on a host system. Both the number of failed attempts and the time interval are configurable. If a user fails to correctly login and the triggering criteria are met, an alert is issued. The parameters for a template may be configured once the detection template is added to a surveillance group. At this point, you will be able to view all the editable properties. You can also change the default values of these properties. Modifying a Property Value in a Template | |
The values you add, modify, or delete are local to the current group. Other groups can have different values for the same template properties. To change the value of a property in a detection template, follow the steps: On the Schedule Manager screen select the Configure tab. Highlight the template name in the Templates panel. In the Properties panel, edit the value of a property by performing one of the following tasks: Highlight the property and click the Edit button Highlight the property and press Ctrl+E. Highlight the property and choose the Edit > Edit Selected Property Values menu item Double-left-click the Value column of the property
Values are shown as either single items or lists. Lists are comma-separated values, wrapped with brackets; see step 5. Single items have a single value and no brackets; see step 4. If the value is a single item (no brackets, for example, 20), the Edit dialog box is displayed (Figure 5-8). Perform these substeps to add, modify, or delete a value: Edit the value in the text box. In general, the value cannot be null. Click OK to accept your change and Cancel to leave the value unchanged.
If the value is a list (zero or more values in brackets, for example, [0, 1, 5, 11]), the Edit List dialog box is displayed (Figure 5-9). Perform one of the following substeps to add, modify, or delete a value. To add a new value Click the Add button. An Edit dialog box is displayed (Figure 5-10). Enter a value in the text box. In general, the value cannot be null. Click OK to insert the value and Cancel to quit without adding.
To edit a current value Highlight one of the values in the display. Click the Edit button. An Edit dialog box is displayed (Figure 5-11) with the current value. Edit the value in the text box. In general, the value cannot be null. Click OK to accept the new value and Cancel to leave the value unchanged.
To delete a current value Highlight one of the values in the Edit List display. If you highlight more than one, the first one is processed. Click the Delete button. The value is deleted. Lists can be empty.
Undoing and Redoing Changes | |
You can roll back and forth for the changes you have made by using the Undo and Redo buttons. For more information, see “Undoing and Redoing Changes” for details. Suggested Best Practices | |
The default configurations for the templates in HP-UX HIDS may result in generation of many alerts. You may wish to fine-tune the operation of the templates to maximize detection of intrusions while minimizing spurious alerts (also termed “false positives”). Use the tune command provided by idsadmin to fine-tune schedules automatically. For information on using the tune command, see “Tuning Schedules Using the idsadmin Command” It is important to realize that the throughput of HP-UX HIDS is affected by the combination of templates activated at a given time. Some templates have more complex heuristics and will impose a larger overhead on the system. It may require a number of iterations to obtain a well-tuned set of templates for a given system. HP recommends the following best practices: Identify the critical resources on the system that must be protected. You can use the tune command to tune the templates to focus on these critical resources. Determine when the system is most vulnerable to threats. Create a surveillance schedule to be active during the vulnerable time periods. Determine if the system is in a maintenance mode at any time. Create a surveillance schedule that is not active during maintenance time period. During initial deployment of HIDS, customize a sample surveillance schedule and run it for at least one day. After a sizable number of alerts are generated, run the tune command to determine how many alerts are generated during normal system usage. The tune command provides you with suggested filters to filter out these alerts that are generated because of normal system activity. You can continue the process of tuning schedules whenever you notice that HIDS is generating a number of 'false positives.'
Some Template Configuration GuidelinesThe template “Modification of files/directories Template”, provides real-time file change detection. Any modification made to any files or directories within the directory tree specified in the template will be detected and reported. However, the template can generate many alerts, which are not security relevant. The “Files Modified by Program List/Program List” properties can be used to ignore changes to certain files when they are performed by a known program. The pathnames_to_not_watch property can be used to ignore directories and files where changes to files are not considered as security risks. The template “Modification of Another User’s File Template” generates many alerts if not tuned correctly. When tuning a template, consider the areas that impose great risk if the system is penetrated. Obviously, replacing a program in /bin, /sbin or the kernel in /stand is a serious threat. Consider the areas that does not impose great risk if the system is penetrated. For example, many files change under /var/adm path, and ignoring that directory is usually safe. But if a symbolic link attack is launched from /var/adm, the attack may not be detected. This is a trade-off decision. Start with a single template and then see how many alerts are generated. Determine if any of these are security events, and if not, modify the template properties to filter the spurious alerts. You may find software that is behaving incorrectly, such as writing to /opt (considered a read-only file system), creating world-writable lock files (a security issue), saving temporary data in /etc (should only be for configuration data). Contact the software vendor about these programs.
|
Printable version
