Scribd Logo
Upload

Welcome to Scribd!

  • HIDS Configuration Template

    Uploaded by

    Kelvin
    24 views3 pages
    This document provides configuration details for monitoring files, logs, and system settings on a server named "Dragon" using a tool called Dragon Host Sensor. It lists binary and configuration files to monitor, log files to monitor, special log events to monitor, and special Windows registry settings to monitor. An appendix defines the file attributes that can be monitored, such as permissions, inode, owner, size, hash, and modification time.

    Original Description:

    HIDS Configuration Template

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides configuration details for monitoring files, logs, and system settings on a server named "Dragon" using a tool called Dragon Host Sensor. It lists binary and configuration files to monitor, log files to monitor, special log events to monitor, and special Windows registry settings to monitor. An appendix defines the file attributes that can be monitored, such as permissions, inode, owner, size, hash, and modification time.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as doc, pdf, or txt
    24 views3 pages

    HIDS Configuration Template

    Uploaded by

    Kelvin
    This document provides configuration details for monitoring files, logs, and system settings on a server named "Dragon" using a tool called Dragon Host Sensor. It lists binary and configuration files to monitor, log files to monitor, special log events to monitor, and special Windows registry settings to monitor. An appendix defines the file attributes that can be monitored, such as permissions, inode, owner, size, hash, and modification time.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as doc, pdf, or txt
    of 3

    CONFIDENTIAL

    DRAGON HOST SENSOR CONFIGURATION


    Server Name
    IP Address
    System Location
    Operating System
    Applications Installed
    Date

    :
    :
    :
    :
    :
    :

    Note: Dragon by default provides capabilities for monitoring various files and logs of
    popular applications and the Operating System itself. As a result, please only provide
    files and/or logs that are specific to the systems environment and more importantly
    deemed critical to the system.
    If required, please check with the consultant/manual on supported applications.
    Binary (executables) Files to be
    Monitored

    Perm

    Inode

    UID

    GID

    Inc

    Trun

    MD5

    Time

    Configuration/Script Files to be
    Monitored

    Perm

    Inode

    UID

    GID

    Inc

    Trun

    MD5

    Time

    CONFIDENTIAL

    Log Files to be Monitored (Please provide the full path)

    Special Log Events to be Monitored (Please specify the name of the log files as well)

    Special Registry Settings to be Monitored (Windows) (Please provide the Registry Hive Info)

    CONFIDENTIAL

    APPENDIX FILE ATTRIBUTES (FROM THE DRAGON MANUAL)


    PERMISSIONS (PERM)
    Turn this option on to generate an event if permissions associated with the file are altered. Under
    UNIX, Host Sensor will monitor the setuid, setgid, sticky-bit, owner-read, owner-write, owner-execute,
    group-read, group-write, group-execute, other-read, other-write and other-execute permissions. If the
    permissions change, a FILE:PERMS-CHANGED event is generated. In Windows, Host Sensor
    monitors the ACLs associated with a file.

    INODE
    Turn this option on to generate an event if the inode number for a file has changed. This is useful to
    determine if a file has been moved/deleted and replaced or if a log has been rotated. If the inode
    changes, a FILE:INODE-CHANGED event is generated.

    USER ID (UID)
    Turn this option on to generate an event if the owner of the file has changed. If the owner changes a
    FILE:UID-CHANGED event is generated. Under Windows, this setting results in additional CPU
    overhead. Please monitor the CPU performance and adjust this setting accordingly.

    GROUP ID (GID)
    Turn this option on to generate an event if the group of the file has changed. If the group changes a
    FILE:GID-CHANGED event is generated. Under Windows, this setting results in additional CPU
    overhead. Please monitor the CPU performance and adjust this setting accordingly.
    NOTE: This option results in additional CPU overhead in Windows. If performance is an issue,
    monitor the CPU load and adjust this setting accordingly.

    INCREASED (INC)
    Turn this option on to generate an event if the size of the file has become larger. If the file grows in
    size, a FILE:INCREASED event is generated.

    TRUNCATED (TRUN)
    Turn this option on to generate an event if the size of the file has become smaller. If the file shrinks in
    size, a FILE:TRUNCATED event is generated. Log files may be altered by an attacker to remove
    entries that log their activity. A log file should not normally reduce in size.

    MD5
    Turn this option on to generate an event if the md5 hash of the file has changed. If the hash value
    changes, a FILE:MD5-CHANGED event is generated. The md5 values are stored in an encrypted file
    on Host Sensor. When the file is first created, a FILE:MD5-MISSING event is generated to alert the
    security administrator that archived md5 values do not exist. This is valid during the initial
    configuration of Host Sensor. If this event happens after Host Sensor is operational, it is indicative of
    the md5 hash values being deleted.
    As each files md5 value is initially calculated, a FILE:MD5-INIT event is generated. This is valid
    during the initial configuration. If the event is generated after Host Sensor has been operational, it
    indicates that the archive MD5 values have been tampered with.
    A FILE:MD5-INVALID event is generated if the encrypted archived MD5 values are unreadable. This
    event indicates tampering with the md5 file. The intent is that an event will be generated if a hacker
    tries to alter/delete the encrypted md5 archive (FILE:MD5-MISSING, FILE:MD5-INIT, FILE:MD5INVALID). If a file that is being monitored is altered, a FILE:MD5-CHANGED is generated.

    MODIFICATION TIME (TIME)


    Generate an alarm if the modification time changes on a file without a change in the files size. If the
    modification time changes, a FILE:MTIME-CHANGED event is generated.

    You might also like