Professional Documents
Culture Documents
HIDS Configuration Template
HIDS Configuration Template
:
:
:
:
:
:
Note: Dragon by default provides capabilities for monitoring various files and logs of
popular applications and the Operating System itself. As a result, please only provide
files and/or logs that are specific to the systems environment and more importantly
deemed critical to the system.
If required, please check with the consultant/manual on supported applications.
Binary (executables) Files to be
Monitored
Perm
Inode
UID
GID
Inc
Trun
MD5
Time
Configuration/Script Files to be
Monitored
Perm
Inode
UID
GID
Inc
Trun
MD5
Time
CONFIDENTIAL
Special Log Events to be Monitored (Please specify the name of the log files as well)
Special Registry Settings to be Monitored (Windows) (Please provide the Registry Hive Info)
CONFIDENTIAL
INODE
Turn this option on to generate an event if the inode number for a file has changed. This is useful to
determine if a file has been moved/deleted and replaced or if a log has been rotated. If the inode
changes, a FILE:INODE-CHANGED event is generated.
USER ID (UID)
Turn this option on to generate an event if the owner of the file has changed. If the owner changes a
FILE:UID-CHANGED event is generated. Under Windows, this setting results in additional CPU
overhead. Please monitor the CPU performance and adjust this setting accordingly.
GROUP ID (GID)
Turn this option on to generate an event if the group of the file has changed. If the group changes a
FILE:GID-CHANGED event is generated. Under Windows, this setting results in additional CPU
overhead. Please monitor the CPU performance and adjust this setting accordingly.
NOTE: This option results in additional CPU overhead in Windows. If performance is an issue,
monitor the CPU load and adjust this setting accordingly.
INCREASED (INC)
Turn this option on to generate an event if the size of the file has become larger. If the file grows in
size, a FILE:INCREASED event is generated.
TRUNCATED (TRUN)
Turn this option on to generate an event if the size of the file has become smaller. If the file shrinks in
size, a FILE:TRUNCATED event is generated. Log files may be altered by an attacker to remove
entries that log their activity. A log file should not normally reduce in size.
MD5
Turn this option on to generate an event if the md5 hash of the file has changed. If the hash value
changes, a FILE:MD5-CHANGED event is generated. The md5 values are stored in an encrypted file
on Host Sensor. When the file is first created, a FILE:MD5-MISSING event is generated to alert the
security administrator that archived md5 values do not exist. This is valid during the initial
configuration of Host Sensor. If this event happens after Host Sensor is operational, it is indicative of
the md5 hash values being deleted.
As each files md5 value is initially calculated, a FILE:MD5-INIT event is generated. This is valid
during the initial configuration. If the event is generated after Host Sensor has been operational, it
indicates that the archive MD5 values have been tampered with.
A FILE:MD5-INVALID event is generated if the encrypted archived MD5 values are unreadable. This
event indicates tampering with the md5 file. The intent is that an event will be generated if a hacker
tries to alter/delete the encrypted md5 archive (FILE:MD5-MISSING, FILE:MD5-INIT, FILE:MD5INVALID). If a file that is being monitored is altered, a FILE:MD5-CHANGED is generated.