Manualshelf

HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
121122123124125126127128129130
NOTE: See Table 41 (page 152) and Table 45 (page 154) in Appendix B for the definition of
additional arguments that can be used to access specific alert information (for example, pid and
ppid) without parsing the string alert fields.
Limitations
The Race Condition template can be CPU intensive because it monitors all file references on the
system.
Modification of files/directories Template
The vulnerability addressed by this template
Many of the files on an HP-UX system must not be modified during normal operation. This includes
the system-supplied binaries and libraries, and the kernel. Additionally, software packages are
not usually installed or modified during normal system operation. However, when attackers break
into a system, they frequently create back doors to let themselves in again later. They can also use
a "root kit" to modify the system binaries so that they do not report the changes they made.
A system with critical files modified is vulnerable to further attacks. Attackers often modify system
files to plant back doors. For example, if the/etc/passwd file is modified to set the root password
as empty, an attacker can then log in as superuser (root) and compromise the system or use it to
launch attacks against other systems on the network. Modification or corruption of security critical
files can also lead to denial -of-service attacks.
How this template addresses the vulnerability
This template, also known as the Read Only template, monitors files that are not usually modified.
It can monitor regular files, directories, symbolic links, and special files (block files, character files,
named pipes). The template monitors the following modifications or potential modifications to
specified files:
Successful or failed attempts to open a file to write or append, to delete the file, to create the
file, to rename the file, or to truncate the file.
Successful or failed attempts to add or delete files in the directory, to delete the directory, to
create the directory, or to rename the directory.
Successful or failed attempts to change the file ownership and file permissions.
This template does not determine whether a file’s contents were changed, only that a change might
have been made. It does not watch the content of the files, only that a file was opened with write
permission. Instead of monitoring write (2) calls that modify files, it monitors successful opens to
write to or truncate the file. This provides early detection of processes that can modify critical files.
How this template is configured
Table A-9 lists the configurable properties that this template supports.
Modification of files/directories Template 121