HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

NOTE: See Table B-1 (page 194) and Table B-3 (page 197) in Appendix B for the

definition of additional arguments that can be used to access specific alert information

(for example, pid and ppid) without parsing the string alert fields.

Limitations

The Race Condition template can be CPU intensive because it monitors all file references

on the system.

Modification of files/directories Template

The vulnerability addressed by this template

Many of the files on an HP-UX system must not be modified during normal operation.

This includes the system-supplied binaries and libraries, and the kernel. Additionally,

software packages are not usually installed or modified during normal system operation.

However, when attackers break into a system, they frequently create back doors to let

themselves in again later. They can also use a "root kit" to modify the system binaries

so that they do not report the changes they made.

A system with critical files modified is vulnerable to further attacks. Attackers often

modify system files to plant back doors. For example, if the/etc/passwd file is

modified to set the root password as empty, an attacker can then log in as superuser

(root) and compromise the system or use it to launch attacks against other systems on

the network. Modification or corruption of security critical files can also lead to denial

-of-service attacks.

How this template addresses the vulnerability

This template, also known as the Read Only template, monitors files that are not usually

modified. It can monitor regular files, directories, symbolic links, and special files (block

files, character files, named pipes). The template monitors the following modifications

or potential modifications to specified files:

• Successful attempts to open a file to write or append, to delete the file, to create

the file, to rename the file, or to truncate the file.

• Successful attempts to add or delete files in the directory, to delete the directory,

to create the directory, or to rename the directory.

• Changes to file ownership and file permissions.

This template does not determine whether a file’s contents were changed, only that a

change might have been made. It does not watch the content of the files, only that a

file was opened with write permission. Instead of monitoring write (2) calls that modify

files, it monitors successful opens to write to or truncate the file. This provides early

detection of processes that can modify critical files.

How this template is configured

Table A-9 lists the configurable properties that this template supports.

Modification of files/directories Template 157