HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

an alert that a world-writable file is created even though the file already exists, and is opened

with the create flag set.

• The template cannot always distinguish whether a world-writable file is created, or whether

an existing world-writable file is truncated. The template can generate an alert that a file is

created, instead of generating an alert that a world-writable file is truncated.

Modification of Another User’s File Template

The vulnerability addressed by this template

In many environments, users are expected to work with their own files. An attacker attempting

to compromise the security of a system can cause a system program to modify various files

owned by other system users. Because many daemons run as a specific user, the Modification

of Another User’s File template can generate an alert when a compromised daemon causes this

type of attack.

How this template addresses the vulnerability

The template, also known as the Not Owned template, monitors files that are deleted, renamed,

modified, or opened for modification by users who do not own the files. A file can be a regular

file, a directory, a symbolic link, or a special file. Specifically, the template monitors the following

modifications or potential modifications of not owned files:

• Successful or failed attempts to open a regular or special file to write to append or truncate

the file by users who do not own the file, even though the file’s group permissions specify

write permission.

• Successful or failed attempts to delete or rename regular files, directories, symbolic links,

or special files.

• Successful or failed attempts to change ownership or permissions of files by users who do

not own the file.

This template does not determine that a file’s contents were changed, only that a change might

have been made. It does not watch the content of the files, only that a file was opened with write

permission. Instead of monitoring write(2) calls that modify files, successful opens to write to

or truncate the file by non-owners are monitored to provide early detection of processes that

might modify files.

How this template is configured

Table A-19 lists the configurable properties the Modification of Another User’s File template

supports.

Table A-19 Modification of Another User’s File Template Properties

Default ValueTypeProperty

^/etc/rc\.log$ | ^/dev/tty$ | ^/var/opt/OV/tmp/OpC/ | ^/var/spool/

sockets/pwgr/ | ^/dev/

pathnames_to_not_watch

<empty>III

users_to_ignore

0,1 | 0,2 | 0,3 | 0,4IV

user_pairs_to_ignore

^/var/adm/wtmp$ & ^/dev/tty$ | ^/var/adm/sulog$ & ^/dev/log$ &

^/dev/tty$

pathnames_1

^/usr/lbin/rlogind$ & ^/usr/bin/login$ & ^/usr/lbin/telnetd$ &

^/usr/lbin/ftpd$ & ^/usr/bin/tset$ | ^/usr/bin/su$

programs_1

<empty>II

pathnames_X

<empty>II

programs_X

144 Templates and Alerts