HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

121

122

123

124

125

126

127

128

129

130

NOTE: See Table 41 (page 152) for the definition of additional arguments that can be used to

access specific alert information (for example, pid and ppid) without having to parse the string

alert fields above.

Limitations

The Changes to Log File template has the following limitation:

• The template cannot distinguish whether a file is created or truncated when creat(2) is

invoked.

Creation and Modification of setuid/setgid File Template

The vulnerability addressed by this template

The concept of setuid and setgid files means that if you have the setuid or setgid bit

turned on on a file, anybody executing that executable (file) inherits the permissions of the individual

or group that owns the file.

One of the frequent back doors that an intruder installs on a system is the creation of a copy of

the /bin/sh program that is setuid root. This file enables any command to be executed as a

superuser.

How this template addresses the vulnerability

The setuid/setgid template detects the creation and modification of files with setuid and

setgid privileges by monitoring the following:

• Modifying file permissions to enable the setuid or/and setgid bit on a file owned by a

privileged user or privileged group.

• Changing the owner of a setuid or a setgid file to be owned by a privileged user or

privileged group.

• Creating or modifying a file that has the setuid or setgid bit set, and that is owned by a

privileged user or privileged group.

By detecting the creation and modification of a setuid or setgid file as soon as it occurs, the

setuid/setgid template can provide a timely security report to an administrator regarding a potential

security intrusion. There are no known mechanisms in existence for the HP-UX operating system

that can provide a near real-time report of the creation or modification of setuid and setgid

files.

How this template is configured

Table A-15 lists the configurable properties the setuid/setgid template supports.

Table 25 Setuid File Template Properties

Default ValueTypeName

0 | 1| 2 | 3 | 4 | 5 | 9 | 11IIIpriv_user_list

0 | 1 | 2 | 3 | 4 | 5 | 6 | 10 | 11IIIpriv_group_list

<empty>IIpathnames_X

<empty>IIprograms_X

Properties

The configurable properties are listed as follows:

130 Templates and Alerts