HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

121

122

123

124

125

126

127

128

129

130

Table 21 Failed Attempt to Modify Read-Only File Alert Properties (continued)

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse

Program

Argument

• Failed attempt to create the block

special file

• Failed attempt to create the pipe (fifo)

file

• Failed attempt to create the file

• Failed attempt to delete the file

• Failed attempt to delete the directory

NOTE: See Table 41 (page 150) in Appendix B for the definition of additional arguments that

can be used to access specific alert information (for example, pid and ppid) without having to

parse the string alert fields above.

Limitations

The Modification of files/directories template has the following limitation:

• The template cannot distinguish between a new file being created and an existing file being

opened read-only when open(2) is invoked with the O_CREAT and O_RDONLY flags. Likewise,

the template cannot distinguish between a new file being created and an existing file being

truncated when creat(2) is invoked. This limitation is less of an issue for creat(2) invocations

because creat(2) either creates a new file or truncates an existing file, both of which are

conditions for alerts.

Changes to Log File Template

The vulnerability addressed by this template

Certain HP-UX system files are used to store logs of system activities, such as login attempts,

commands executed, and miscellaneous system log messages. The files that store this system

information should only be appended to, not overwritten. Attacks often either modify or delete

these files to remove information about their intrusion.

How this template addresses the vulnerability

The template, also known as the Append Only template, monitors a user-defined list of files for

attempts to modify them in any way other than appending to them. Specifically, the template

monitors a user-specified set of regular files for successful attempts to open a file with write or

truncate permission, to delete the file, to rename the file, or to truncate the file.

This template does not monitor changes in file ownership or permissions. The template also does

not monitor for the creation of a new file. Finally, this template does not determine that a file’s

contents were changed, only that a change might have been made. It does not watch the content

of the files, only that a file was opened with permission other than append. Instead of monitoring

write(2) calls that modify files, successful opens to write to the file to provide early detection of

processes that might potentially modify critical files by some means other than appending.

How this template is configured

Table A-11 lists the configurable properties this template supports.

Table 22 Template Properties

Default ValueTypeName

^/var/adm/btmp$ | ^/var/adm/wtmp$ |

^/var/adm/messages$ | ^/var/adm/syslog/mail log $ |

Ipathnames_to_watch

124 Templates and Alerts