Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Creation of World-Writable File Template
Appendix A
162
Creation of World-Writable File Template
The vulnerability
addressed by this
template
A world-writable file is one that any user of the system can modify. In many cases, the
files owned by the system users (such as root, bin, sys, adm) are used to control the
configuration and operation of the system. Allowing regular users to modify these files
exposes the system to attacks. A world-writable directory containing system files allows
an attacker to replace these files.
How this template
addresses the
vulnerability
The World-Writable (WW) template detects the creation of a world-writable file owned
by a privileged user. Specifically, the template monitors for the following, where a file can
be a regular file, a directory, or a special file:
• Creating a file that has the world-writable bit set and owned by a privileged user.
• Modifying the file permissions that enables the world-writable bit for an existing file
owned by a privileged user.
• Changing the ownership of an existing world-writable file to be owned by a
privileged user.
• Renaming of a world-writable file owned by a privileged user whose old path name is
not being monitored but whose new path name is being monitored.
How this template
is configured
Table A-15 lists the configurable properties that this template supports.
Table A-15 World-Writable File Template Properties
Name Type Default Value
priv_uid_list III 0 | 1 | 2 | 3 | 4 | 5 | 9 | 11
pathnames_to_not_watch I ^/dev/null$ | ^/dev/pts/
pathnames_0 II ^/etc/opt/resmon/
programs_0 II ^/usr/sbin/stm/uut/bin/tools/mon
itor/ & ^/etc/opt/resmon/lbin/
pathnames_1 II ^/dev/ptmx$ |
^/var/opt/dce/rpc/local/ |
^/var/run/egd-pool$ |
^/dev/console$ |
^/var/sam/log/samagent˙log$ |
^/var/vx/isis/state$ |
^/var/opt/perf/ |
^/var/opt/OV/log/ httpd |
^/var/opt/OV/ & ^/etc/opt/OV/ |
^/etc/group˙tmp.*$ &
^/etc/passwd˙tmp.*$ |
^/etc/group˙tmp.*$ |
^/stand/˙system_tune$ &
/tmp/˙kmsystune_lock$