HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Table A-6 Race Condition Template Properties (continued)
Default ValueTypeProperty
^/usr/bin/passwd$ &
^/usr/sbin/useradd$ &
^/usr/sbin/userdel$ &
^/usr/sbin/usermod$
II
programs_1
<empty>II
pathnames_X
<empty>II
programs_X
Properties
The properties of the Race Condition template are described as follows:
priv_user_list
A list of system-level user IDs or user names.
This list contains those users who have elevated
access to the system. Removing any of these users
mean that an attack against one of them is not
detected by this template. Only programs that run
with an effective user ID equal to one of the listed
uids or corresponds to the one of the listed user
names are monitored, and only the execution of
setuid scripts owned by a user listed in this
property generates an alert.
pathnames_to_not_watch
Path names of programs that can be safely ignored.
Any race condition alert for a file whose path name
is matched by a regular expression in the
pathnames_to_not_watch property is filtered
out and not reported. You can use this property
to filter alerts generated when a privileged setuid
script is executed. You must specify the full path
name of the script.
pathnames_X, programs_X
You can use these properties to filter out race
condition alerts generated when a specified
program modifies the file reference of a privileged
program for a particular file. See “Type II: Path
Names/Programs Pairs” (page 141) for a detailed
description of these property pairs.
Alerts generated by this template
The following alerts are generated by the Race Condition template:
• “File Reference Modification” (page 154)
• “Privileged setuid Script Executed” (page 155)
Race Condition Template 153