HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

131

132

133

134

135

136

137

138

139

140

by other system users. Because many daemons run as a specific user, the Modification of Another

User’s File template can generate an alert when a compromised daemon causes this type of attack.

How this template addresses the vulnerability

The template, also known as the Not Owned template, monitors files that are deleted, renamed,

modified, or opened for modification by users who do not own the files. A file can be a regular

file, a directory, a symbolic link, or a special file. Specifically, the template monitors the following

modifications or potential modifications of not owned files:

• Successful or failed attempts to open a regular or special file to write to append or truncate

the file by users who do not own the file, even though the file’s group permissions specify

write permission.

• Successful or failed attempts to delete or rename regular files, directories, symbolic links, or

special files.

• Successful or failed attempts to change ownership or permissions of files by users who do not

own the file.

This template does not determine that a file’s contents were changed, only that a change might

have been made. It does not watch the content of the files, only that a file was opened with write

permission. Instead of monitoring write(2) calls that modify files, successful opens to write to or

truncate the file by non-owners are monitored to provide early detection of processes that might

modify files.

How this template is configured

Table A-19 lists the configurable properties the Modification of Another User’s File template supports.

Table 29 Modification of Another User’s File Template Properties

Default ValueTypeProperty

^/etc/rc\.log$ | ^/dev/tty$ | ^/var/opt/OV/tmp/OpC/ |

^/var/spool/ sockets/pwgr/ | ^/dev/

Ipathnames_to_not_watch

<empty>IIIusers_to_ignore

0,1 | 0,2 | 0,3 | 0,4IVuser_pairs_to_ignore

^/var/adm/wtmp$ & ^/dev/tty$ | ^/var/adm/sulog$ & ^/dev/log$

& ^/dev/tty$

IIpathnames_1

^/usr/lbin/rlogind$ & ^/usr/bin/login$ & ^/usr/lbin/telnetd$ &

^/usr/lbin/ftpd$ & ^/usr/bin/tset$ | ^/usr/bin/su$

IIprograms_1

<empty>IIpathnames_X

<empty>IIprograms_X

Properties

Configure the following properties based on the individual machine configuration and usage.

pathnames_to_not_watch Path names of files that can be safely ignored if they are

modified by non-owners.

users_to_ignore Users running with an effective uid that equals to one of the

listed user IDs or corresponds to one of the listed user names

can modify files they do not own without generating an alert.

It is recommended that this property is left blank unless

specifically needed.

user_pairs_to_ignore A list of user ID or user name pairs in which an alert is not

generated if the effective user ID of the process modifying this

file matches the first member of a pair, and the owner of the

134 Templates and Alerts