Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Templates and Alerts

Modiﬁcation of Another User’s File Template

Appendix A

163

Modiﬁcation of Another User’s File Template

The vulnerability

addressed by this

template

In many environments, users are expected to be working with their own ﬁles. An

attacker attempting to compromise the security of a system might cause a system

program to modify various ﬁles owned by other system users. Because many daemons

run as a particular user, this template may generate an alert when a compromised

daemon causes such an attack.

How this template

addresses the

vulnerability

The template, also known as the Not Owned (NO) template, monitors ﬁles that are

deleted, renamed, modiﬁed or are open to be modiﬁed by users that do not own the ﬁles,

where a ﬁle can be a regular ﬁle, a directory, a symbolic link or a special ﬁle. Speciﬁcally,

the template monitors the following modiﬁcations or potential modiﬁcations of

"non-owned" ﬁles.

• Monitors for successful attempts to open a regular or special ﬁle to write or append,

or to truncate the ﬁle by users who do not own the ﬁle even though the ﬁle’s group

permissions speciﬁes write permission. Also monitors for successful attempts to

delete or rename regular ﬁles, directories, symbolic links, or special ﬁles.

• Monitors for changes in ownership or ﬁle permissions of ﬁles by users who do not

own the ﬁle.

This template does not determine that a ﬁle’s contents were changed, only that a change

might have been made (i.e., it does not watch the content of the ﬁles, only that a ﬁle was

opened with write permission). Instead of monitoring write(2) calls that modify ﬁles,

successful opens to write to or truncate the ﬁle by non-owners are monitored to provide

early detection of processes that might modify ﬁles.

How this template

is conﬁgured

This template supports the following properties:

Table A-17 Template Properties

Name Type Default Value

pathnames_to_not_watch I ^/dev/null$ | ^/etc/rc˙log$ | ^/dev/tty$ |

^/var/opt/OV/tmp/OpC/ | ^/var/spool/

sockets/pwgr/ | ^/dev/pts/

uids_to_ignore III <empty>

uid_pairs_to_ignore IV 0,1 | 0,2 | 0,3 | 0,4

pathnames_1 II ^/var/adm/wtmp$ & ^/dev/tty$ |

^/var/adm/sulog$ & ^/dev/log$ & ^/dev/tty$

programs_1 II ^/usr/lbin/rlogind$ & ^/usr/bin/login$ &

^/usr/lbin/telnetd$ & ^/usr/lbin/ftpd$ &

^/usr/bin/tset$ | ^/usr/bin/su$

pathnames_X II <empty>

programs_X II <empty>