HP-UX Host Intrusion Detection System Version 4.2 Administration Guide
Table A-11 Failed Attempt to Modify Read-Only File Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
Following are the possible values:
• Failed attempt to change the owner
• Failed attempt to change the
permissions of
• Failed attempt to open for
modification/truncation
• Failed attempt to open for
modification
• Failed attempt to rename the file
• Failed attempt to overwrite an
existing file
• Failed attempt to truncate the file
• Failed attempt to create a hard link
to
• Failed attempt to create a symbolic
link
• Failed attempt to create the directory
• Failed attempt to create the character
special
• Failed attempt to create the block
special file
• Failed attempt to create the pipe
(fifo) file
• Failed attempt to create the file
• Failed attempt to delete the file
• Failed attempt to delete the directory
NOTE: See Table B-1 (page 161) in Appendix B for the definition of additional arguments that
can be used to access specific alert information (for example, pid and ppid) without having to
parse the string alert fields above.
Limitations
The Modification of files/directories template has the following limitation:
• The template cannot distinguish between a new file being created and an existing file being
opened read-only when open(2) is invoked with the O_CREAT and O_RDONLY flags. Likewise,
the template cannot distinguish between a new file being created and an existing file being
truncated when creat(2) is invoked. This limitation is less of an issue for creat(2)
invocations because creat(2) either creates a new file or truncates an existing file, both of
which are conditions for alerts.
Changes to Log File Template
The vulnerability addressed by this template
Certain HP-UX system files are used to store logs of system activities, such as login attempts,
commands executed, and miscellaneous system log messages. The files that store this system
information should only be appended to, not overwritten. Attacks often either modify or delete
these files to remove information about their intrusion.
How this template addresses the vulnerability
The template, also known as the Append Only template, monitors a user-defined list of files for
attempts to modify them in any way other than appending to them. Specifically, the template
134 Templates and Alerts