 |
» |
|
|
|
The vulnerability addressed by this templateAny user on a system can modify a world-writable file. Many of the files owned by the system users (such as root, bin, sys, adm) are used to control the configuration and operation of the system. Allowing regular users to modify these files exposes the system to attacks. A world-writable directory containing system files enables an attacker to replace these files. How this template addresses the vulnerabilityThe World-Writable template detects the creation of a world-writable file owned by a privileged user. Specifically, the template monitors for the following actions, where a file can be a regular file, a directory, or a special file: Creating a file that has the world-writable bit set and owned by a privileged user. Modifying the file permissions that enable the world-writable bit for an existing file owned by a privileged user. Changing the ownership of an existing world-writable file to be owned by a privileged user. Renaming of a world-writable file owned by a privileged user whose old path name is not being monitored but whose new path name is being monitored.
How this template is configuredTable A-15 lists the configurable properties that the World-Writable template supports. Table A-15 World-Writable File Template Properties | Property | Type | Default Value |
|---|
priv_user_list | III | 0 | 1 | 2 | 3 | 4 | 5 | 9 | 11 | | pathnames_to_not_watch | I | ^/dev/null$ | ^/dev/console$ | ^/dev/tty | ^/dev/pty | ^/dev/pts | pathnames_0 | II | ^/etc/opt/resmon/ | programs_0 | II | ^/usr/sbin/stm/uut/bin/tools/monitor/ & ^/etc/opt/resmon/lbin/ | pathnames_1 | II | ^/dev/ptmx$ | ^/var/opt/dce/rpc/local/ | ^/var/run/egd-pool$ | ^/dev/console$ | ^/var/sam/log/samagent\.log$ | ^/var/vx/isis/state$ | ^/var/opt/perf/ | ^/var/opt/OV/log/ httpd | ^/var/opt/OV/ & ^/etc/opt/OV/ | ^/etc/group\.tmp.*$ & ^/etc/passwd\.tmp.*$ | ^/etc/group\.tmp.*$ | ^/stand/\.system_tune$ & /tmp/\.kmsystune_lock$ | ^/var/opt/OV/log/OpC/opcmsglg$ | ^/var/tmp/ & ^/var/opt/scr/ | ^/var/opt/scr/ | programs_1 | II | ^/usr/lbin/rlogind$ | ^/usr/lbin/swagent$ & ^/usr/sbin/swagentd & ^/usr/sam/lbin/samd$ & ^/opt/perf/bin/ & ^/opt/OV/bin/ | ^/opt/openssl/prngd/prngd$ | ^/usr/sbin/getty$ | ^/usr/sam/lbin/samd$ | ^/opt/VRTSob/bin/vxsvc$ | ^/opt/perf/bin/ | ^/opt/OV/httpd/bin/httpd$ | ^/opt/OV/bin/ | ^/usr/sbin/useradd$ & ^/usr/sbin/userdel$ & ^/usr/sbin/usermod$ | ^/usr /sbin/groupadd$ & ^/usr/sbin/groupdel$ & ^/usr/sbin/groupmod$ | ^/usr/sbin/kmtune$ | opcle | /opt/scr/lbin/scrgetconf$ | /opt/scr/lbin/scrdaemon$ | pathnames_X | II | <empty> | programs_X | II | <empty> |
PropertiesThe configurable properties are listed as follows: - priv_user_list
A list of system-level user IDs or user names. This list contains users that have elevated access to the system. Removing any of these users means that this template does not detect the creation of a world-writable file owned by that users. - pathnames_to_not_watch
Path names of files that can be safely ignored if they are made world writable. - pathnames_X, programs_X
Filter out alerts generated when a specified program creates a specified world-writable file. See “Type II: Path Names/Programs Pairs” for a detailed description of these property pairs.
Alerts generated by this templateWorld-Writable File Created | |
Table A-16 lists the configurable properties that this template supports. Table A-16 World-Writable File Created Alert Properties | Response Program Argument | Alert Field | Alert Field Type | Alert Value/Format | Description |
|---|
argv[1] | Template code | Integer | 5 | Unique code assigned to template | | argv[2] | Version | Integer | 3 | Template Version | | argv[3] | Severity | Integer | 3 | Alert Severity | argv[4] | UTC time | Integer | <secs> | UTC time in number of seconds since the epoch when a world-writable file was created | argv[5] | Attacker | String | uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid> | The user ID, group ID, process ID, and parent process ID of the process that created the world-writable file | | argv[6] | Target of Attack | String | file=<full pathname>, type=<type>, mode=<mode>, uid=<uid>, gid=<gid>, inode=<inode>, device=<device> | The full path name of the world-writable file and the file’s type, mode, uid, gid, inode, and device number | | argv[7] | Summary | String | world-writable file created | Alert summary | argv[8] | Details | String | User with uid <uid> <performed action on> the file ><full pathname> (type=<type>, inode=<inode>, device<device) when executing <program>> (type=<type>, inode=<inode>, device=<device>), invoked as follows: <argv[0]> <argv[1]>..., as process with pid <pid> and ppid <ppid> and running with effective uid=<euid> and with effective gid=<egid>.where <performed action on> is set to one of the following: created the world-writable file created the world-writable directory created the world-writable character special file created the world-writable block special file
| Detailed alert description | | | | | created the world-writable pipe (fifo) file renamed the world-writable file changed the owner of the world-writable file enabled the world-writable permission on file performed system call <number> on the file
| | argv[9] | Event | String | Following are the possible values: | The event that triggered the alert. |
| | | |  | NOTE: See Table B-1 in Appendix B for the definition additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. | | | | |
LimitationsThe World-Writable template has the following limitations: The template cannot always distinguish whether a world-writable file is created, or whether an existing world-writable file is opened with the create flag set. The template can generate an alert that a world-writable file is created even though the file already exists, and is opened with the create flag set. The template cannot always distinguish whether a world-writable file is created, or whether an existing world-writable file is truncated. The template can generate an alert that a file is created, instead of generating an alert that a world-writable file is truncated.
|
Printable version
