Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Changes to Log File Template
Appendix A
155
Changes to Log File Template
The vulnerability
addressed by this
template
Certain HP-UX system files are used to store logs of system activities, such as login
attempts, commands executed, and miscellaneous system log messages. The files that
store this system information should only be appended to, not overwritten. Attacks often
either modify or delete these files to remove information about their intrusion.
How this template
addresses the
vulnerability
The template, also known as the Append Only (AO) template, monitors a user-defined
list of files for attempts to modify them in any way other than appending to them.
Specifically, the template monitors a user-specified set of regular files for successful
attempts to open a file with write or truncate permission, to delete the file, to rename the
file, or to truncate the file.
This template does not monitor changes in file ownership or permissions. The template
also does not monitor for the creation of a new file. Finally, this template does not
determine that a file’s contents were changed, only that a change might have been made
(it does not watch the content of the files, only that a file was opened with permission
other than append). Instead of monitoring write(2) calls that modify files, successful
opens to write to the file to provide early detection of processes that might potentially
modify critical files by some means other than appending.
How this template
is configured
Table A-11 lists the configurable properties that this template supports.
Properties A brief description about the configurable properties are listed below:
• Property: pathnames_to_watch
Pathnames of files to be monitored for modification other than appending.
• Property: pathnames_to_not_watch
Pathnames of files that can be safely ignored for modification, regardless of which
program modifies them.
• Properties: pathnames_X, programs_XUse
Table A-11 Template Properties
Name Type Default Value
pathnames_to_watch I ^/var/adm/btmp$ |
^/var/adm/wtmp$ |
^/var/adm/messages$ |
^/var/adm/syslog/mail˙log $ |
^/var/adm/syslog/syslog˙log$ |
^/var/adm/pacct$ |
^/var/adm/sulog$
pathnames_to_not_watch I<empty>
pathnames_X II <empty>
programs_X II <empty>