HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Modification of Another User’s File Template

The vulnerability addressed by this template

In many environments, users are expected to work with their own files. An attacker

attempting to compromise the security of a system can cause a system program to

modify various files owned by other system users. Because many daemons run as a

specific user, the Modification of Another User’s File template can generate an alert

when a compromised daemon causes this type of attack.

How this template addresses the vulnerability

The template, also known as the Not Owned template, monitors files that are deleted,

renamed, modified, or opened for modification by users who do not own the files. A

file can be a regular file, a directory, a symbolic link, or a special file. Specifically, the

template monitors the following modifications or potential modifications of not owned

files:

• Successful attempts to open a regular or special file to write to append or truncate

the file by users who do not own the file, even though the file’s group permissions

specify write permission.

• The template also monitors for successful attempts to delete or rename regular

files, directories, symbolic links, or special files.

• Changes in ownership or permissions of files by users who do not own the file.

This template does not determine that a file’s contents were changed, only that a change

might have been made. It does not watch the content of the files, only that a file was

opened with write permission. Instead of monitoring write(2) calls that modify files,

successful opens to write to or truncate the file by non-owners are monitored to provide

early detection of processes that might modify files.

How this template is configured

Table A-17 lists the configurable properties the Modification of Another User’s File

template supports.

Table A-17 Modification of Another User’s File Template Properties

Default ValueTypeProperty

^/etc/rc\.log$ | ^/dev/tty$ | ^/var/opt/OV/tmp/OpC/ |

^/var/spool/ sockets/pwgr/ | ^/dev/

pathnames_to_not_watch

<empty>III

users_to_ignore

0,1 | 0,2 | 0,3 | 0,4IV

user_pairs_to_ignore

^/var/adm/wtmp$ & ^/dev/tty$ | ^/var/adm/sulog$ &

^/dev/log$ & ^/dev/tty$

pathnames_1

^/usr/lbin/rlogind$ & ^/usr/bin/login$ & ^/usr/lbin/telnetd$

& ^/usr/lbin/ftpd$ & ^/usr/bin/tset$ | ^/usr/bin/su$

programs_1

Modification of Another User’s File Template 175