HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

121

122

123

124

125

126

127

128

129

130

Limitations

The Changes to Log File template has the following limitation:

• The template cannot distinguish whether a file is created or truncated when creat(2) is

invoked.

Creation and Modification of setuid/setgid File Template

The vulnerability addressed by this template

The concept of setuid and setgid files means that if you have the setuid or setgid bit

turned on on a file, anybody executing that executable (file) inherits the permissions of the individual

or group that owns the file.

One of the frequent back doors that an intruder installs on a system is the creation of a copy of

the /bin/sh program that is setuid root. This file enables any command to be executed as a

superuser.

How this template addresses the vulnerability

The setuid/setgid template detects the creation and modification of files with setuid and

setgid privileges by monitoring the following:

• Modifying file permissions to enable the setuid or/and setgid bit on a file owned by a

privileged user or privileged group.

• Changing the owner of a setuid or a setgid file to be owned by a privileged user or

privileged group.

• Creating or modifying a file that has the setuid or setgid bit set, and that is owned by a

privileged user or privileged group.

By detecting the creation and modification of a setuid or setgid file as soon as it occurs, the

setuid/setgid template can provide a timely security report to an administrator regarding a potential

security intrusion. There are no known mechanisms in existence for the HP-UX operating system

that can provide a near real-time report of the creation or modification of setuid and setgid

files.

How this template is configured

Table A-15 lists the configurable properties the setuid/setgid template supports.

Table 25 Setuid File Template Properties

Default ValueTypeName

0 | 1| 2 | 3 | 4 | 5 | 9 | 11IIIpriv_user_list

0 | 1 | 2 | 3 | 4 | 5 | 6 | 10 | 11IIIpriv_group_list

<empty>IIpathnames_X

<empty>IIprograms_X

Properties

The configurable properties are listed as follows:

priv_user_list A list of system-level user IDs or user names.

This list contains those users who have elevated access to the

system. Removing any of these users means that the

setuid/setgid template will not detect the creation of a

setuid file owned by one of those users.

priv_group_list A list of system-level group IDs or group names.

128 Templates and Alerts