Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Modification of Files/Directories Template
Appendix A
146
Modification of Files/Directories Template
The vulnerability
addressed by this
template
Many of the files on an HP-UX system should not be modified during normal operation.
This includes the system supplied binaries and libraries and the kernel. Additionally,
software packages are generally not installed or modified during normal system
operation. However, when attackers break into a system, they frequently will create
back doors to let themselves in later. Also, they might use a "root kit" to modify the
system binaries such that they do not report the changes that were made.
A system whose critical files are modified can leave the system vulnerable to subsequent
attacks. An attacker often modifies system files to plant back doors. For example, if the
/etc/passwd is modified to set root’s password as empty, an attacker can subsequently log
in as root and completely compromise the system or use it to launch further attacks
against other systems on the network. Modification or corruption of security critical files
can also lead to Denial of Service attacks.
How this template
addresses the
vulnerability
This template, also known as the Read Only (RO) template, monitors files that are not
expected to be modified, where a file can be a regular file, a directory, a symbolic link, or
a special file (block file, character file, named pipe). Specifically, the template monitors
the following modifications or potential modifications to files specified by the user.
• Successful attempts to open a file to write or append, to delete the file, to create the
file, to rename the file, or to truncate the file.
• Successful attempts to add or delete files in the directory, to delete the directory, to
create the directory, or to rename the directory.
• Changes to file ownership and file permissions.
This template does not determine that a file’s contents were changed, only that a change
might have been made (i.e., it does not watch the content of the files, only that a file was
opened with write permission). Instead of monitoring write(2) calls that modify files,
successful opens to write to or truncate the file are monitored to provide early detection
of processes that might modify critical files.
How this template
is configured
This template supports the following properties:
Table A-9 Template Properties
Name Type Default Value
pathnames_to_watch I ^/stand/vmunix$ | ^/stand/kernrel$ |
^/stand/bootconf$ | ^/etc/passwd$ |
^/etc/shadow$ | ^/etc/group$ | ^/\.rhosts$
| ^/\.shosts$ | ^/etc/hosts\.equiv$ |
^/etc/hosts\.allow$ | ^/etc/hosts\.deny$ |
^/etc/inetd\.conf$
| ^/etc/ | ^/bin/ | ^/sbin/ | ^/stand/ | ^/lib/
| ^/usr/bin/ | ^/opt/