HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

131

132

133

134

135

136

137

138

139

140

Table 31 Failed Attempt to Modify Non-Owned File Alert Properties

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse

Program

Argument

Detailed alert descriptionUser with uid <uid> <performed action

on the file> <full pathname>

(type=<type>, inode=<inode>,

device<device) when executing

<program> (type=<type>,

inode=<inode>, device=<device>),

invoked as follows: <argv[0]>

<argv[1]>..., as process with pid <pid>

and ppid <ppid> and running with

effective uid=<euid> and with effective

gid=<egid>.where <performed action

on the file> is set to one of the following:

• failed to change the owner of

• failed to change the permissions of

• failed to open for

• failed to rename the file

• failed to create the file (and overwrite

any existing file)

• failed to truncate the file

• failed the delete the file

• failed to delete the directory

StringDetailsargv[8]

The event that triggered

the alert.

Following are the possible values:

• Failed attempt to change the owner

• Failed attempt to change the

permissions of

• Failed attempt to open for

• Failed attempt to rename the file

• Failed attempt to create the file (and

overwrite any existing file)

• Failed attempt to truncate the file

• Failed attempt to delete the file

• Failed attempt to delete the directory

StringEventargv[9]

NOTE: See Table 41 (page 152) in Appendix B for the definition of additional arguments that

can be used to access specific alert information (for example, pid and ppid) without parsing the

string alert fields.

Limitations

The Modification of Another User’s File template has no limitations.

The vulnerability addressed by this template

Certain privileged user accounts (such as adm, bin, sys) are intended to be used by system programs

only for maintenance purposes. If these user accounts are enabled, and an attacker has

compromised one of these user account passwords, the system is vulnerable to being compromised

by an attacker either logging in to the system as a privileged user or running the su command to

assume the identity of a privileged user.