Modification of files/directories Template

The vulnerability addressed by this template

Many of the files on an HP-UX system must not be modified during normal operation. This includes the system-supplied binaries and libraries, and the kernel. Additionally, software packages are not usually installed or modified during normal system operation. However, when attackers break into a system, they frequently create back doors to let themselves in again later. They can also use a "root kit" to modify the system binaries so that they do not report the changes they made.

A system with critical files modified is vulnerable to further attacks. Attackers often modify system files to plant back doors. For example, if the/etc/passwd file is modified to set the root password as empty, an attacker can then log in as superuser (root) and compromise the system or use it to launch attacks against other systems on the network. Modification or corruption of security critical files can also lead to denial -of-service attacks.

How this template addresses the vulnerability

This template, also known as the Read Only template, monitors files that are not usually modified. It can monitor regular files, directories, symbolic links, and special files (block files, character files, named pipes). The template monitors the following modifications or potential modifications to specified files:

Successful attempts to open a file to write or append, to delete the file, to create the file, to rename the file, or to truncate the file.
Successful attempts to add or delete files in the directory, to delete the directory, to create the directory, or to rename the directory.
Changes to file ownership and file permissions.

This template does not determine whether a file’s contents were changed, only that a change might have been made. It does not watch the content of the files, only that a file was opened with write permission. Instead of monitoring write (2) calls that modify files, it monitors successful opens to write to or truncate the file. This provides early detection of processes that can modify critical files.

How this template is configured

Table A-9 lists the configurable properties that this template supports.

Table A-9 File/Directories Template Properties

Name	Type	Default Value
pathnames_to_watch	I	^/∖.rhosts$ \| ^/\.shosts$ \| ^/\.profile$ \| ^/bin/ \| ^/sbin/ \| ^/usr/bin/ \| ^/usr/sbin/ \| ^/usr/local/bin/ \| ^/lib/ \|^/usr/lib/ \| ^/usr/local/lib/ \| ^/stand/build/dlkm\.vmunix_test/ \| ^/stand/vmunix$ \| ^/stand/kernrel$ \| ^/stand/bootconf$ \| ^/stand/system$ \| ^/dev/dsk/ \| ^/dev/rdsk/ \| ^/dev/rmt/ \| ^/dev/rsdsi/ \| ^/dev/vg[0-9]*/ \| ^/dev/idds$ \| ^/usr/dt/config/Xconfig$ \| ^/tcb/files/devassign$ \| ^/etc/rc\.config\.d/ \| ^/etc/opt/sec_mgmt/bastille/ \| ^/etc/rbac/ \| ^/etc/cmpt/ \|
		^/etc/passwd$ \| ^/etc/shadow$ \| ^/etc/group$ \| ^/etc/hosts\.equiv$ \| ^/etc/hosts\.allow$ \| ^/etc/hosts\.deny$ \| ^/etc/inetd\.conf$ \| ^/etc/auto_master$ \| ^/etc/csh\.login$ \| ^/etc/ftpd/ftpaccess$ \| ^/etc/ftpd/ftpusers$ \| ^/etc/inittab$ \| ^/etc/opt/ipf/ipf\.conf$ \| ^/etc/issue$ \| ^/etc/motd$ \| ^/etc/mnttab$ \| ^/etc/named\.conf$ \| ^/etc/securetty$ \| ^/etc/default/security$ \| ^/etc/mail/sendmail\.cf$ \| ^/etc/shells$ \| ^/etc/zprofile$ \| ^/etc/nsswitch\.conf$ \| ^/etc/pam\.conf$ \| ^/etc/profile$ \| ^/etc/acps\.conf$ \| ^/etc/default/security$ \| ^/etc/security\.dsc$ \| ^/etc/opt/ids/ids\.cf$ \| ^/opt/
pathnames_to_not_watch	I	<empty>
pathnames_0	II	<empty>
programs_0	II	<empty>
`pathnames_1`	II	^/etc/mnttab$ & ^/etc/fstab$ \| ^/dev/vg[0-9]*/
`programs_1`	II	^/usr/bin/nfsstat$ & ^/usr/sbin/syncer$ & ^/sbin/mount$ & ^/sbin/umount$ & ^/sbin/fs/./mount$ & ^/opt/cifsclient/bin/cifsmount$ & ^/sbin/fs/./umount$ & ^/opt/cifsclient/bin/cifsumount$ & ^/usr/bin/df$ & ^/usr/bin/bdf$ \| ^/sbin/.*display$
`pathnames_X`	II	<empty>
`programs_X`	II	<empty>

Properties

A brief description about the configurable properties are enlisted below:

pathnames_to_watch: Path names of files to be monitored for modification.
pathnames_to_not_watch: Path names of files that can be safely ignored for modification, regardless of which program modifies them.
pathnames_X, programs_X: Use these properties to filter out alerts generated when a particular program modifies a particular file. See “Type II: Path Names/Programs Pairs” for a detailed description of these property pairs.

Alerts generated by this template

File Being Modified

Table A-10 lists the alert properties this template generates and forwards to a response program when a file is modified.

Table A-10 File Being Modified Alert Properties

Response Program Argument	Alert Field	Alert Field Type	Alert Value/Format	Description
argv[1]	Template code	Integer	2	Unique code assigned to template
argv[2]	Version	Integer	3	Template version
argv[3]	Severity	Integer	2 if file is truncated, potentially truncated, deleted, or renamed.3 if file’s mode or ownership is modified, if file is created, or if file is opened for writing or appending.	Alert severity
argv[4]	UTC time	Integer	<secs>	UTC time in number of seconds since the epoch when file was modified
argv[5]	Attacker	String	uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid>	The user ID, group ID, process ID, and parent process ID of the process that modified the file
argv[6]	Target of attack	String	file=<full pathname>, type=<type>, mode=<mode>, uid=<uid>, gid=<gid>, inode=<inode>, device=<device>	The full path name of the file that was modified and the file’s type, mode, uid, gid, inode, and device number
argv[7]	Summary	String	File system modification or potential modification.	Alert summary
argv[8]	Details	String	User with uid<uid> <performed action on the file> <full pathname> (type=<type>, inode=<inode>, device=<device>) when executing <program> (type=<type>, inode=<inode>, device=<device>), invoked as follows: <argv[0]><argv[1]>..., as process with pid <pid> and ppid <ppid> and running with effective uid=<euid> and with effective gid=<egid>.where <performed action on the file> is set to one of the following: changed the owner of changed the permission of opened for modification/truncation renamed the file created the file (and overwrote any existing file) named truncated the file created as a hard link created as a symbolic link	Detailed alert description
			created the file created the character special file created the directory created the block special file created the pipe (fifo) file deleted the file deleted the directory performed system call <number> on the file
argv[9]	Event	String	Following are the possible values: File ownership modified File permission modified File opened for modification File created File truncated File renamed File modified Hard link created Symbolic link created Directory created Special file created File deleted Directory deleted Miscellaneous event	The event that triggered the alert.




	NOTE: See Table B-1 in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without having to parse the string alert fields above.

Limitations

The Modification of files/directories template has the following limitation:

The template cannot distinguish between a new file being created and an existing file being opened read-only when open(2) is invoked with the O_CREAT and O_RDONLY flags. Likewise, the template cannot distinguish between a new file being created and an existing file being truncated when creat(2) is invoked. This limitation is less of an issue for creat(2) invocations because creat(2) either creates a new file or truncates an existing file, both of which are conditions for alerts.