HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

131

132

133

134

135

136

137

138

139

140

NOTE: See Table B-1 (page 161) for the definition of additional arguments that can be used to

access specific alert information (for example, pid and ppid) without having to parse the string

alert fields above.

Limitations

The Changes to Log File template has the following limitation:

• The template cannot distinguish whether a file is created or truncated when creat(2) is

invoked.

Creation and Modification of setuid/setgid File Template

The vulnerability addressed by this template

The concept of setuid and setgid files means that if you have the setuid or setgid bit

turned on on a file, anybody executing that executable (file) inherits the permissions of the

individual or group that owns the file.

One of the frequent back doors that an intruder installs on a system is the creation of a copy of

the /bin/sh program that is setuid root. This file enables any command to be executed as a

superuser.

How this template addresses the vulnerability

The setuid/setgid template detects the creation and modification of files with setuid and

setgid privileges by monitoring the following:

• Modifying file permissions to enable the setuid or/and setgid bit on a file owned by a

privileged user or privileged group.

• Changing the owner of a setuid or a setgid file to be owned by a privileged user or

privileged group.

• Creating or modifying a file that has the setuid or setgid bit set, and that is owned by a

privileged user or privileged group.

By detecting the creation and modification of a setuid or setgid file as soon as it occurs, the

setuid/setgid template can provide a timely security report to an administrator regarding a

potential security intrusion. There are no known mechanisms in existence for the HP-UX operating

system that can provide a near real-time report of the creation or modification of setuid and

setgid files.

How this template is configured

Table A-15 lists the configurable properties the setuid/setgid template supports.

Table A-15 Setuid File Template Properties

Default ValueTypeName

0 | 1| 2 | 3 | 4 | 5 | 9 | 11III

priv_user_list

0 | 1 | 2 | 3 | 4 | 5 | 6 | 10 | 11III

priv_group_list

<empty>II

pathnames_X

<empty>II

programs_X

Properties

The configurable properties are listed as follows:

priv_user_list A list of system-level user IDs or user names.

This list contains those users who have elevated access to

the system. Removing any of these users means that the

138 Templates and Alerts