Manualshelf

HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
121122123124125126127128129130
NOTE: See Table B-1 (page 161) and Table B-5 (page 163) in Appendix B for the definition of
additional arguments that can be used to access specific alert information (for example, pid and
ppid) without parsing the string alert fields.
Limitations
The Race Condition template can be CPU intensive because it monitors all file references on the
system.
Modification of files/directories Template
The vulnerability addressed by this template
Many of the files on an HP-UX system must not be modified during normal operation. This
includes the system-supplied binaries and libraries, and the kernel. Additionally, software
packages are not usually installed or modified during normal system operation. However, when
attackers break into a system, they frequently create back doors to let themselves in again later.
They can also use a "root kit" to modify the system binaries so that they do not report the changes
they made.
A system with critical files modified is vulnerable to further attacks. Attackers often modify
system files to plant back doors. For example, if the/etc/passwd file is modified to set the root
password as empty, an attacker can then log in as superuser (root) and compromise the system
or use it to launch attacks against other systems on the network. Modification or corruption of
security critical files can also lead to denial -of-service attacks.
How this template addresses the vulnerability
This template, also known as the Read Only template, monitors files that are not usually modified.
It can monitor regular files, directories, symbolic links, and special files (block files, character
files, named pipes). The template monitors the following modifications or potential modifications
to specified files:
Successful or failed attempts to open a file to write or append, to delete the file, to create the
file, to rename the file, or to truncate the file.
Successful or failed attempts to add or delete files in the directory, to delete the directory,
to create the directory, or to rename the directory.
Successful or failed attempts to change the file ownership and file permissions.
This template does not determine whether a file’s contents were changed, only that a change
might have been made. It does not watch the content of the files, only that a file was opened with
write permission. Instead of monitoring write (2) calls that modify files, it monitors successful
opens to write to or truncate the file. This provides early detection of processes that can modify
critical files.
How this template is configured
Table A-9 lists the configurable properties that this template supports.
Modification of files/directories Template 129