Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

161

162

163

164

165

166

167

168

169

170

Templates and Alerts

Creation of Setuid File Template

Appendix A

155

Creation of Setuid File Template

The vulnerability

addressed by this

template

A setuid ﬁle is one that, if executed, will operate with the permissions of the owner of the

ﬁle, not of the person executing the ﬁle. One of the frequent back doors that an intruder

will install on a system is the creation of a copy of the /bin/sh program that is setuid root.

Such a ﬁle allows any command to be executed as the superuser.

How this template

addresses the

vulnerability

The Setuid (SUID) template detects the creation of ﬁles with setuid privileges owned by

privileged users by monitoring for the following:

• Modiﬁcation of the ﬁle permissions to enable the setuid bit on a ﬁle owned by a

privileged user.

• Changing the owner of a setuid ﬁle to be owned by a privileged user.

• Creation of a ﬁle that has the setuid bit set and owned by a privileged user.

By detecting the creation of a setuid ﬁle as soon as it occurs, the template can provide a

timely security report to an administrator regarding a potential security intrusion.

There are no known mechanisms in existence for the HP-UX operating system that can

provide a near real-time report of the creation of setuid ﬁles.

How this template

is conﬁgured

This template supports the following properties:

Properties • Property: priv_uid_list

A list of system-level user IDs.

This list should contain those users that are considered to have elevated access to

the system. Removing any of these means that the creation of a setuid ﬁle owned by

one of those users will not be detected by this template.

• Properties: pathnames_X, programs_X

These properties can be used to ﬁlter out alerts generated when a particular

program creates or enables a particular privileged setuid ﬁle. See “Type II:

Pathnames/Programs Pairs” on page 130 for a detailed description of these property

pairs.

Alerts generated

by this template

• “Setuid File Created” on page 156

Table A-13 Template Properties

Name Type Default Value

priv_uid_list III 0 | 1 | 2 | 3 | 4 | 5 | 9 | 11

pathnames_X II <empty>

programs_X II <empty>