 |
» |
|
|
|
The vulnerability addressed by this templateThe concept of setuid and setgid files means that if you have the setuid or setgid bit turned on on a file, anybody executing that executable (file) inherits the permissions of the individual or group that owns the file. One of the frequent back doors that an intruder installs on a system is the creation of a copy of the /bin/sh program that is setuid root. This file enables any command to be executed as a superuser. How this template addresses the vulnerabilityThe setuid/setgid template detects the creation and modification of files with setuid and setgid privileges by monitoring the following: Modifying file permissions to enable the setuid or/and setgid bit on a file owned by a privileged user or privileged group. Changing the owner of a setuid or a setgid file to be owned by a privileged user or privileged group. Creating or modifying a file that has the setuid or setgid bit set, and that is owned by a privileged user or privileged group.
By detecting the creation and modification of a setuid or setgid file as soon as it occurs, the setuid/setgid template can provide a timely security report to an administrator regarding a potential security intrusion. There are no known mechanisms in existence for the HP-UX operating system that can provide a near real-time report of the creation or modification of setuid and setgid files. How this template is configuredTable A-13 lists the configurable properties the setuid/setgid template supports. Table A-13 Setuid File Template Properties | Name | Type | Default Value |
|---|
priv_user_list | III | 0 | 1| 2 | 3 | 4 | 5 | 9 | 11 | | priv_group_list | III | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 10 | 11 | pathnames_X | II | <empty> | programs_X | II | <empty> |
PropertiesThe configurable properties are listed as follows: - priv_user_list
A list of system-level user IDs or user names. This list contains those users who have elevated access to the system. Removing any of these users means that the setuid/setgid template will not detect the creation of a setuid file owned by one of those users. - priv_group_list
A list of system-level group IDs or group names. This list contains those groups who have elevated access to the system. Removing any of these groups from this list means that the setuid/setgid template will not detect the creation of a setgid file owned by one of those groups. - pathnames_X, programs_X
Filter out alerts generated when a specified program creates, modifies, or enables a specified privileged setuid file. See “Type II: Path Names/Programs Pairs” for a detailed description of these property pairs.
Alerts generated by this templateSetuid or setgid File Created or Modified | |
Table A-14 lists the alert properties the setuid/setgid template generates and forwards to a response program when a setuid or setgid file owned by a privileged user or privileged group is created or modified. Table A-14 Setuid File Created / Modified Alert Properties | Response Program Argument | Alert Field | Alert Field Type | Alert Value/Format | Description |
|---|
argv[1] | Template code | Integer | 4 | Unique code assigned to template | | argv[2] | Version | Integer | 3 | Template Version | | argv[3] | Severity | Integer | 1 | Alert Severity | argv[4] | UTC time | Integer | <secs> | UTC time in number of seconds since the epoch when a privileged setuid file was created or modified | argv[5] | Attacker | String | uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid> | The user ID, group ID, process ID, and parent process ID of the process that created or modified the privileged setuid file | | argv[6] | Target of Attack | String | file=<full pathname>, type=<type>, mode=<mode>, uid=<uid>, gid=<gid>, inode=<inode>, device=<device> | The full path name of the privileged setuid file and the file’s type, mode, uid, gid, inode, and device number | | argv[7] | Summary | String | setuid file created,or setuid file potentially modified, or setuid file truncated, or operation on setuid file | Alert summary | argv[8] | Details | String | User with uid <uid> <performed action on> the file ><full pathname>(type=<type>, inode=<inode>, device<device) when executing <program> (type=<type>, inode=<inode>, device=<device>), invoked as follows: <argv[0]> <argv[1]>..., as process with pid <pid> and ppid <ppid> and running with effective uid=<euid> and with effective gid=<egid>.where <performed action on> is set to one of the following: created the setuid or setgid file changed the owner of the setuid file, or changed the group of the setgid file. enabled the setuid or setgid bit on file performed system call <number> on the file truncated the setuid or setgid file
| Detailed alert description | argv[9] | Event | String | Following are the possible values: | The event that triggered the alert. |
| | | |  | NOTE: See Table B-1 for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. | | | | |
LimitationsThe setuid/setgid file template has the following limitations: The template cannot always distinguish whether a setuid (or setgid) file is created and whether an existing setuid (or setgid) file is opened for modification with the create flag. The template can generate an alert that a setuid (or setgid) file was created rather than generating an alert that a setuid (or setgid) file was opened for modification. The template can also generate a false alert that a setuid (or setgid) file is created even though the file already exists, and is opened with the create flag rather than for modification. The template cannot always distinguish whether a setuid (or setgid) file is created, and whether an existing setuid (or setgid) file is truncated. The template can generate an alert that a setuid (or setgid) file is created, instead of generating an alert that a setuid (or setgid) file is truncated.
|
Printable version
