HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

161

162

163

164

165

166

167

168

169

170

creates a new file or truncates an existing file, both of which are conditions for

alerts.

Changes to Log File Template

The vulnerability addressed by this template

Certain HP-UX system files are used to store logs of system activities, such as login

attempts, commands executed, and miscellaneous system log messages. The files that

store this system information should only be appended to, not overwritten. Attacks

often either modify or delete these files to remove information about their intrusion.

How this template addresses the vulnerability

The template, also known as the Append Only template, monitors a user-defined list

of files for attempts to modify them in any way other than appending to them.

Specifically, the template monitors a user-specified set of regular files for successful

attempts to open a file with write or truncate permission, to delete the file, to rename

the file, or to truncate the file.

This template does not monitor changes in file ownership or permissions. The template

also does not monitor for the creation of a new file. Finally, this template does not

determine that a file’s contents were changed, only that a change might have been

made. It does not watch the content of the files, only that a file was opened with

permission other than append. Instead of monitoring write(2) calls that modify files,

successful opens to write to the file to provide early detection of processes that might

potentially modify critical files by some means other than appending.

How this template is configured

Table A-11 lists the configurable properties this template supports.

Table A-11 Template Properties

Default ValueTypeName

^/var/adm/btmp$ | ^/var/adm/wtmp$ |

^/var/adm/messages$ | ^/var/adm/syslog/mail log $

| ^/var/adm/syslog/sysloġlog$ | ^/var/adm/pacct$ |

^/var/adm/sulog$

pathnames_to_watch

<empty>I

pathnames_to_not_watch

<empty>II

pathnames_X

<empty>II

programs_X

Properties

A brief description about the configurable properties are listed below:

pathnames_to_watch

Path names of files to be monitored for

modification other than appending.

Changes to Log File Template 163