HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
NOTE: See Table B-1 (page 194) for the definition of additional arguments that can be
used to access specific alert information (for example, pid and ppid) without having
to parse the string alert fields above.
Limitations
The Changes to Log File template has the following limitation:
• The template cannot distinguish whether a file is created or truncated when
creat(2) is invoked.
Creation and Modification of setuid/setgid File Template
The vulnerability addressed by this template
The concept of setuid and setgid files means that if you have the setuid or setgid
bit turned on on a file, anybody executing that executable (file) inherits the permissions
of the individual or group that owns the file.
One of the frequent back doors that an intruder installs on a system is the creation of
a copy of the /bin/sh program that is setuid root. This file enables any command
to be executed as a superuser.
How this template addresses the vulnerability
The setuid/setgid template detects the creation and modification of files with
setuid and setgid privileges by monitoring the following:
• Modifying file permissions to enable the setuid or/and setgid bit on a file
owned by a privileged user or privileged group.
• Changing the owner of a setuid or a setgid file to be owned by a privileged
user or privileged group.
• Creating or modifying a file that has the setuid or setgid bit set, and that is
owned by a privileged user or privileged group.
By detecting the creation and modification of a setuid or setgid file as soon as it
occurs, the setuid/setgid template can provide a timely security report to an
administrator regarding a potential security intrusion. There are no known mechanisms
in existence for the HP-UX operating system that can provide a near real-time report
of the creation or modification of setuid and setgid files.
How this template is configured
Table A-13 lists the configurable properties the setuid/setgid template supports.
166 Templates and Alerts