Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

161

162

163

164

165

166

167

168

169

170

Templates and Alerts

Changes to Log File Template

Appendix A

152

Changes to Log File Template

The vulnerability

addressed by this

template

There are certain HP-UX system ﬁles that are used to store logs of system activities,

such as login attempts, commands executed, and miscellaneous system log messages.

The ﬁles that store this system information should only be appended to, not overwritten.

An attacker will often either modify or delete these ﬁles to remove information about

their intrusion.

How this template

addresses the

vulnerability

The template, also known as the Append Only (AO) template, monitors a user-deﬁned

list of ﬁles for attempts to modify them in any way other than appending to them.

Speciﬁcally, the template monitors a user speciﬁed set of regular ﬁles for successful

attempts to open a ﬁle with write or truncate permission, to delete the ﬁle, to rename the

ﬁle, or to truncate the ﬁle.

This template does not monitor changes in ownership or permissions of the ﬁle. The

template also does not monitor for the creation of a new ﬁle. Lastly, this template does

not determine that a ﬁle’s contents were changed, only that a change might have been

made (i.e., it does not watch the content of the ﬁles, only that a ﬁle was opened with

permission other than append). Instead of monitoring write(2) calls that modify ﬁles,

successful opens to write to the ﬁle are monitored to provide early detection of processes

that might potentially modify critical ﬁles other than appending.

How this template

is conﬁgured

This template supports the following properties:

Properties • Property: pathnames_to_watch

Pathnames of ﬁles to be monitored for modiﬁcation other than appending.

• Property: pathnames_to_not_watch

Pathnames of ﬁles that can be safely ignored for modiﬁcation, regardless of which

program modiﬁes them.

• Properties: pathnames_X, programs_X

Table A-11 Template Properties

Name Type Default Value

pathnames_to_watch I ^/var/adm/btmp$ | ^/var/adm/wtmp$ |

^/var/adm/messages$ |

^/var/adm/syslog/mail˙log $ |

^/var/adm/syslog/syslog˙log$ |

^/var/adm/pacct$ | ^/var/adm/sulog$

pathnames_to_not_watch I <empty>

pathnames_X II <empty>

programs_X II <empty>