Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
161162163164165166167168169170
NOTE: See Table B-1 (page 194) for the definition of additional arguments that can be
used to access specific alert information (for example, pid and ppid) without parsing
the string alert fields.
Limitations
The setuid/setgid file template has the following limitations:
The template cannot always distinguish whether a setuid (or setgid) file is
created and whether an existing setuid (or setgid) file is opened for modification
with the create flag. The template can generate an alert that a setuid (or setgid)
file was created rather than generating an alert that a setuid (or setgid) file
was opened for modification. The template can also generate a false alert that a
setuid (or setgid) file is created even though the file already exists, and is
opened with the create flag rather than for modification.
The template cannot always distinguish whether a setuid (or setgid) file is
created, and whether an existing setuid (or setgid) file is truncated. The template
can generate an alert that a setuid (or setgid) file is created, instead of generating
an alert that a setuid (or setgid) file is truncated.
Creation of World-Writable File Template
The vulnerability addressed by this template
Any user on a system can modify a world-writable file. Many of the files owned by the
system users (such as root, bin, sys, adm) are used to control the configuration and
operation of the system. Allowing regular users to modify these files exposes the system
to attacks. A world-writable directory containing system files enables an attacker to
replace these files.
How this template addresses the vulnerability
The World-Writable template detects the creation of a world-writable file owned by a
privileged user. Specifically, the template monitors for the following actions, where a
file can be a regular file, a directory, or a special file:
Creating a file that has the world-writable bit set and owned by a privileged user.
Modifying the file permissions that enable the world-writable bit for an existing
file owned by a privileged user.
Changing the ownership of an existing world-writable file to be owned by a
privileged user.
Renaming of a world-writable file owned by a privileged user whose old path
name is not being monitored but whose new path name is being monitored.
How this template is configured
Table A-15 lists the configurable properties that the World-Writable template supports.
170 Templates and Alerts