</td>
</tr>
</table>
	</form>
<!-- BROWSE BY TOPIC -->
		
		<form action="" name="catlist">			
		<img src="/images/browse5.gif" width=115 height=34 alt="" border="0">
<table width="120" height="32" border="1" cellspacing="0" cellpadding="3" bordercolor="#006666" bgcolor="#e0e0e0">
				<tr>
				<td width="117" align="center">
			<font face="Arial,helvetica" size="1">
			<SELECT NAME="cat" onChange='top.location.href=this.options[selectedIndex].value;' style="font-size: 10; font-family: sans-serif;">
			<option value="" selected>Please Select
			<option value="">-----------
			<option value="/reference/dir.components.html">Components
			<option value="/reference/dir.contentmanagement.html">Content Mgt
			<option value="/reference/dir.certification1.html">Certification
			<option value="/reference/dir.databases.html">Databases
			<option value="/reference/dir.enterprisemanagement1.html">Enterprise Mgt
			<option value="/reference/dir.funandgames1.html">Fun/Games
			<option value="/reference/dir.groupwareandcollaboration1.html">Groupware
			<option value="/reference/dir.hardware1.html">Hardware
			<option value="/reference/dir.intranetandextranetdevelopment1.html">Intranet Dev
			<option value="/reference/dir.middleware.html">Middleware
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=6//-->
<!--PAGES=198-201//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="194-198.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="201-205.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P>Detecting whether the root user ran /home/Joe/ls instead of /bin/ls is difficult to do from the accounting files. Information about any resources accessed by the user&#146;s program are sketchy.
</P>
<P>Axent&#146;s Intruder Alert also watches syslog and other system logs for intrusive behaviors. ITA depends on a rule-based approach to look for problems on the system. The rule base is extensible for third-party applications. One useful benefit of this capability is that vendors who write messages to syslog can build rules for plugging into ITA. Because ITA also includes a distributed, heterogeneous, client-server event reporting framework, other vendors can develop rules that indicate intrusive behavior and watch the events get reported to the ITA console.</P>
<P>Unfortunately, syslog does not include all of the information necessary to detect a number of intrusive and misused behaviors. The OS audit logs are needed for a more detailed analysis. Which is better&#151;syslog or audit logs? There is no simple answer.</P>
<P>If you are content to know about failed su events, failed logins, bad password changes, and other events reported by syslog, then this is a sufficient source of instrumentation. The question you must consider is whether other events, such as those described in the following sections, which you want to detect. Also, you must decide whether you can afford the price of auditing. When you turn on the auditing subsystem, performance implications will occur. On the other hand, if your site security policy <I>requires</I> auditing already, adding an IDS that processes this data further is probably acceptable.</P>
<H4 ALIGN="LEFT"><A NAME="Heading13"></A><FONT COLOR="#000077">Audit Trails</FONT></H4>
<P>The OS audit trails contain a significant amount of data about system activities. Each OS reports on a different number of events, but almost <I>any</I> OS system activity is reported. For example, Solaris reports more than 240 audit events, AIX almost 100, and HP-UX around 125. Microsoft NT emits about 100 different events as well.</P>
<P>Unlike syslog and the accounting logs, audit records include important, security-relevant data values in each record. Figure 6.2 shows the audit header fields for AIX. Note that today AIX does not report the EUID or EGID of a process, which makes detection of buffer overflow attacks difficult.</P>
<P><A NAME="Fig2"></A><A HREF="javascript:displayWindow('images/06-02.jpg',640,196 )"><IMG SRC="images/06-02t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/06-02.jpg',640,196)"><FONT COLOR="#000077"><B>Figure 6.2</B></FONT></A>&nbsp;&nbsp;Audit record header fields for AIX.</P>
<P>Among other values, the audit records contain the following:
</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Details about the object being accessed, such as the parameters passed to the program
<DD><B>&#149;</B>&nbsp;&nbsp;Fully qualified path names of executables
</DL>
<P>When a user completes the login process, the kernel assigns as <I>audit ID</I> (AUID), which is the prefix for each audit record written for that user. Even if the user runs a SUID root program, the AUID remains the same. This means that a user cannot <I>hide</I> an activity by pretending to be someone else, whether root or another user. The AUID is what proves accountability for activities and identifies the user responsible for the event.</P>
<P>How reliable is the AUID? The answer depends on your environment. If most of your users log in using the normal mechanism, run various programs, execute commands, and then log out, the AUID will be a reliable indicator for accountability. However, in a couple of cases the AUID is not particularly helpful.</P>
<P>A number of daemon programs started automatically by the system will run with AUID=0. Any audit records cut for those programs will show that root initiated the activity, even though it did not happen from a login shell. If these programs are listening for interprocess communication from other programs run by normal users, assigning accountability gets a little more complicated. When your program sends a message to one of these daemons and asks it to perform an activity on your behalf, it is the root AUID that will appear as the prefix for the daemon&#146;s audit records, not your UID.</P>
<P>A more complicated problem exists for Web servers and systems without login sessions. Systems of this type are usually running server programs that are listening for network connections from other nodes. The only AUID in the audit records might be the that of the root user. Even if you have created a special user ID under which you run your Web server, the AUID probably will be zero (root&#146;s UID) because of the way in which the Web server is started by the system. If the server is started by an rc script or via the init program, the root AUID will be the prefix for the audit records.</P>
<P>The AUID can be changed by a privileged process, which is good because it provides a facility for programs to set the appropriate AUID value. However, this feature also means that an intruder who gains root access will be able to change the AUID. While this may seem nasty at first glance, this event itself will be logged with an audit record.</P>
<P>Can an attacker stop th