 |
» |
|
|
|
The vulnerability addressed by this templateCertain HP-UX system files are used to store logs of system activities, such as login attempts, commands executed, and miscellaneous system log messages. The files that store this system information should only be appended to, not overwritten. Attacks often either modify or delete these files to remove information about their intrusion. How this template addresses the vulnerabilityThe template, also known as the Append Only template, monitors a user-defined list of files for attempts to modify them in any way other than appending to them. Specifically, the template monitors a user-specified set of regular files for successful attempts to open a file with write or truncate permission, to delete the file, to rename the file, or to truncate the file. This template does not monitor changes in file ownership or permissions. The template also does not monitor for the creation of a new file. Finally, this template does not determine that a file’s contents were changed, only that a change might have been made. It does not watch the content of the files, only that a file was opened with permission other than append. Instead of monitoring write(2) calls that modify files, successful opens to write to the file to provide early detection of processes that might potentially modify critical files by some means other than appending. How this template is configuredTable A-11 lists the configurable properties this template supports. Table A-11 Template Properties | Name | Type | Default Value |
|---|
pathnames_to_watch | I | ^/var/adm/btmp$ | ^/var/adm/wtmp$ | ^/var/adm/messages$ | ^/var/adm/syslog/mail log $ | ^/var/adm/syslog/sysloġlog$ | ^/var/adm/pacct$ | ^/var/adm/sulog$ | | pathnames_to_not_watch | I | <empty> | pathnames_X | II | <empty> | programs_X | II | <empty> |
PropertiesA brief description about the configurable properties are listed below: - pathnames_to_watch
Path names of files to be monitored for modification other than appending. - pathnames_to_not_watch
Path names of files that can be safely ignored for modification, regardless of which program modifies them. - pathnames_X, programs_X
Use these properties to filter out alerts generated when a particular program modifies a particular file other than appending. See “Type II: Path Names/Programs Pairs” for a detailed description of these property pairs.
Alerts generated by this templateAppend-Only File Being Modified | |
Table A-12 lists the alert properties this template generates and forwards to a response program when a file is modified in a way other than being appended to. Table A-12 Append-Only File Being Modified Alert Properties Response Program Argument | Alert Field | Alert Field Type | Alert Value/Format | Description |
|---|
| argv[1] | Template code | Integer | 3 | Unique code assigned to template | | argv[2] | Version | Integer | 3 | Template version | | argv[3] | Severity | Integer | 2 | Alert Severity | | argv[4] | UTC time | Integer | <secs> | UTC time in number of seconds since the epoch when file was modified | | argv[5] | Attacker | String | uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid> | The user ID, group ID, process ID, and parent process ID of the process that modified the file | | argv[6] | Target of attack | String | file=<full pathname>, type=<type>, mode=<mode>, uid=<uid>, gid=<gid>, inode=<inode>, device=<device> | The full path name of the file that was modified and the file’s type, mode, uid, gid, inode, and device number. | | argv[7] | Summary | String | Append-only file modified or potentially modified | Alert summary | | argv[8] | Details | String | User with uid <uid> <performed action on the file> <full pathname> (type=<type>, inode=<inode>, device<device>) when executing <program> (type=<type>,inode=<inode> ,device=<device>), invoked as follows: <argv[0]> <argv[1]>..., as process with pid <pid> and ppid <ppid> and running with effective uid=<euid> and with effective gid=<egid>.where <performed action on the file> is set to one of the following: opened for modification/truncation performed system call <number> on the file created the file (and overwrote any existing file) named
| Detailed alert description | | argv[9] | Event | String | Following are the possible values: File opened for modification
| The event that triggered the alert. |
| | | |  | NOTE: See Table B-1 for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without having to parse the string alert fields above. | | | | |
LimitationsThe Changes to Log File template has the following limitation: The template cannot distinguish whether a file is created or truncated when creat(2) is invoked.
|
Printable version
