HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

Table A-21 Failed Attempt to Modify Non-Owned File Alert Properties

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse

Program

Argument

Detailed alert descriptionUser with uid <uid> <performed action

on the file> <full pathname>

(type=<type>, inode=<inode>,

device<device) when executing

<program> (type=<type>,

inode=<inode>, device=<device>),

invoked as follows: <argv[0]>

<argv[1]>..., as process with pid <pid>

and ppid <ppid> and running with

effective uid=<euid> and with effective

gid=<egid>.where <performed action

on the file> is set to one of the following:

• failed to change the owner of

• failed to change the permissions of

• failed to open for

• failed to rename the file

• failed to create the file (and

overwrite any existing file)

• failed to truncate the file

• failed the delete the file

• failed to delete the directory

StringDetailsargv[8]

The event that triggered

the alert.

Following are the possible values:

• Failed attempt to change the owner

• Failed attempt to change the

permissions of

• Failed attempt to open for

• Failed attempt to rename the file

• Failed attempt to create the file (and

overwrite any existing file)

• Failed attempt to truncate the file

• Failed attempt to delete the file

• Failed attempt to delete the directory

StringEventargv[9]

NOTE: See Table B-1 (page 161) in Appendix B for the definition of additional arguments that

can be used to access specific alert information (for example, pid and ppid) without parsing the

string alert fields.

Limitations

The Modification of Another User’s File template has no limitations.

The vulnerability addressed by this template

Certain privileged user accounts (such as adm, bin, sys) are intended to be used by system

programs only for maintenance purposes. If these user accounts are enabled, and an attacker

has compromised one of these user account passwords, the system is vulnerable to being

compromised by an attacker either logging in to the system as a privileged user or running the

su command to assume the identity of a privileged user.