Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Templates and Alerts

Creation and Modiﬁcation of Setuid File Template

Appendix A

158

Creation and Modiﬁcation of Setuid File Template

The vulnerability

addressed by this

template

A setuid ﬁle is one that, if executed, operates with the permissions of the owner of the

ﬁle, not of the person executing the ﬁle. One of the frequent back doors that an intruder

installs on a system is the creation of a copy of the /bin/sh program that is setuid root.

Such a ﬁle allows any command to be executed as the superuser.

How this template

addresses the

vulnerability

The setuid (SUID) template detects the creation and modiﬁcation of ﬁles with setuid

privileges owned by privileged users by monitoring for the following:

• Modifying ﬁle permissions to enable the setuid bit on a ﬁle owned by a privileged

user.

• Changing the owner of a setuid ﬁle to be owned by a privileged user.

• Creation or modiﬁcation of a ﬁle that has the setuid bit set and that is owned by a

privileged user.

By detecting the creation and modiﬁcation of a setuid ﬁle as soon as it occurs, the

template can provide a timely security report to an administrator regarding a potential

security intrusion. There are no known mechanisms in existence for the HP-UX

operating system that can provide a near real-time report of the creation or modiﬁcation

of setuid ﬁles.

How this template

is conﬁgured

Table A-13 lists the conﬁgurable properties that this template supports.

Properties A brief description about the conﬁgurable properties are listed below:

• Property: priv_uid_list

A list of system-level user IDs.

This list should contain those users who are considered to have elevated access to

the system. Removing any of these means that this template will not detect the

creation of a setuid ﬁle owned by one of those users.

• Properties: pathnames_X, programs_X

You can use these properties to ﬁlter out alerts generated when a particular program

creates, modiﬁes or enables a particular privileged setuid ﬁle. See “Type II: Path

Names/Programs Pairs” on page 132 for a detailed description of these property

pairs.

Alerts generated

by this template

See “Setuid File Created or Modiﬁed” on page 159 for more information about the alerts

generated.

Table A-13 Setuid File Template Properties

Name Type Default Value

priv_uid_list III 0 | 1 | 2 | 3 | 4 | 5 | 9 | 11

pathnames_X II <empty>

programs_X II <empty>