 |
» |
|
|
|
The vulnerability addressed by this templateIn many environments, users are expected to work with their own files. An attacker attempting to compromise the security of a system can cause a system program to modify various files owned by other system users. Because many daemons run as a specific user, the Modification of Another User’s File template can generate an alert when a compromised daemon causes this type of attack. How this template addresses the vulnerabilityThe template, also known as the Not Owned template, monitors files that are deleted, renamed, modified, or opened for modification by users who do not own the files. A file can be a regular file, a directory, a symbolic link, or a special file. Specifically, the template monitors the following modifications or potential modifications of not owned files: Successful attempts to open a regular or special file to write to append or truncate the file by users who do not own the file, even though the file’s group permissions specify write permission. The template also monitors for successful attempts to delete or rename regular files, directories, symbolic links, or special files. Changes in ownership or permissions of files by users who do not own the file.
This template does not determine that a file’s contents were changed, only that a change might have been made. It does not watch the content of the files, only that a file was opened with write permission. Instead of monitoring write(2) calls that modify files, successful opens to write to or truncate the file by non-owners are monitored to provide early detection of processes that might modify files. How this template is configuredTable A-17 lists the configurable properties the Modification of Another User’s File template supports. Table A-17 Modification of Another User’s File Template Properties | Property | Type | Default Value |
|---|
| pathnames_to_not_watch | I | ^/etc/rc\.log$ | ^/dev/tty$ | ^/var/opt/OV/tmp/OpC/ | ^/var/spool/ sockets/pwgr/ | ^/dev/ | | users_to_ignore | III | <empty> | user_pairs_to_ignore | IV | 0,1 | 0,2 | 0,3 | 0,4 | pathnames_1 | II | ^/var/adm/wtmp$ & ^/dev/tty$ | ^/var/adm/sulog$ & ^/dev/log$ & ^/dev/tty$ | programs_1 | II | ^/usr/lbin/rlogind$ & ^/usr/bin/login$ & ^/usr/lbin/telnetd$ & ^/usr/lbin/ftpd$ & ^/usr/bin/tset$ | ^/usr/bin/su$ | pathnames_X | II | <empty> | programs_X | II | <empty> |
PropertiesConfigure the following properties based on the individual machine configuration and usage. - pathnames_to_not_watch
Path names of files that can be safely ignored if they are modified by non-owners. - users_to_ignore
Users running with an effective uid that equals to one of the listed user IDs or corresponds to one of the listed user names can modify files they do not own without generating an alert. It is recommended that this property is left blank unless specifically needed. - user_pairs_to_ignore
A list of user ID or user name pairs in which an alert is not generated if the effective user ID of the process modifying this file matches the first member of a pair, and the owner of the file being modified matches the corresponding second member of the pair. For example, pairs [0,1], [root, 1], [0, bin], and [root,bin] are all equivalent and any of them can be used to filter all alerts where a process with effective uid 0 (root) modifies files owned by user bin (uid 1). - pathnames_X, programs_X
These properties can be used to filter out alerts generated when a particular program modifies a specified file owned by another user. See “Type II: Path Names/Programs Pairs” for a detailed description of these property pairs.
Alerts generated by this templateNon-Owned File Being Modified | |
Table A-18 lists the alert properties the Modification of Another User’s File template generates and forwards to a response program when a file is modified by someone other than the owner. Table A-18 Non-Owned File Being Modified Alert Properties | Response Program Argument | Alert Field | Alert Field Type | Alert Value/Format | Description |
|---|
argv[1] | Template code | Integer | 6 | Unique code assigned to template | | argv[2] | Version | Integer | 3 | Template version | argv[3] | Severity | Integer | 2 if the file is truncated, potentially truncated, deleted, or renamed3 if the file’s mode or ownership is modified, or the file is opened for writing or appending | Alert severity | argv[4] | UTC time | Integer | <secs> | UTC time in number of seconds since the epoch when a file was modified by a non-owner | argv[5] | Attacker | String | uid=<uid>, gid=<gid>, pid=<pid>, ppid=<ppid>. | The user ID, group ID, process ID, and parent process ID of the process that modified the file | argv[6] | Target of Attack | String | file=<full pathname>, type=<type>, mode=<mode>, uid=<uid>, gid=<gid>, inode=<inode>, device=<device>. | The full path name of the file and the file’s type, mode, uid, gid, inode, and device number | argv[7] | Summary | String | Non-owned file being modified | Alert summary | argv[8] | Details | String | User with uid <uid> <performed action on the file> <full pathname> (type=<type>, inode=<inode>, device<device) when executing <program> (type=<type>, inode=<inode>, device=<device>), invoked as follows: <argv[0]> <argv[1]>..., as process with pid <pid> and ppid <ppid> and running with effective uid=<euid> and with effective gid=<egid>.where <performed action on the file> is set to one of the following: opened for modification/truncation created the named file (and overwrote any existing file) performed system call <number> on the file
| Detailed alert description | argv[9] | Event | String | Following are the possible values: File opened for modification
| The event that triggered the alert. |
| | | |  | NOTE: See Table B-1 in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. | | | | |
LimitationsThe Modification of Another User’s File template has no limitations. |
Printable version
