Templates and Alerts
Modification of Files/Directories Template
Modification of Files/Directories Template
The vulnerability Many of the files on an
templatesoftware packages are generally not installed or modified during normal system operation. However, when attackers break into a system, they frequently will create back doors to let themselves in later. Also, they might use a "root kit" to modify the system binaries such that they do not report the changes that were made.
A system whose critical files are modified can leave the system vulnerable to subsequent attacks. An attacker often modifies system files to plant back doors. For example, if the /etc/passwd is modified to set root’s password as empty, an attacker can subsequently log in as root and completely compromise the system or use it to launch further attacks against other systems on the network. Modification or corruption of security critical files can also lead to Denial of Service attacks.
How this template This template, also known as the Read Only (RO) template, monitors files that are not
addresses the expected to be modified, where a file can be a regular file, a directory, a symbolic link, or
vulnerability a special file (block file, character file, named pipe). Specifically, the template monitors the following modifications or potential modifications to files specified by the user.
•Successful attempts to open a file to write or append, to delete the file, to create the file, to rename the file, or to truncate the file.
•Successful attempts to add or delete files in the directory, to delete the directory, to create the directory, or to rename the directory.
•Changes to file ownership and file permissions.
This template does not determine that a file’s contents were changed, only that a change might have been made (i.e., it does not watch the content of the files, only that a file was opened with write permission). Instead of monitoring write(2) calls that modify files, successful opens to write to or truncate the file are monitored to provide early detection of processes that might modify critical files.
How this template This template supports the following properties: is configured
Table | Template Properties |
|
|
|
|
|
|
| Name | Type | Default Value |
|
|
|
|
| pathnames_to_watch | I | ^/stand/vmunix$ ^/stand/kernrel$ |
|
|
| ^/stand/bootconf$ ^/etc/passwd$ |
|
|
| ^/etc/shadow$ ^/etc/group$ ^/\.rhosts$ |
|
|
| ^/\.shosts$ ^/etc/hosts\.equiv$ |
|
|
| ^/etc/hosts\.allow$ ^/etc/hosts\.deny$ |
|
|
| ^/etc/inetd\.conf$ |
|
|
| ^/etc/ ^/bin/ ^/sbin/ ^/stand/ ^/lib/ |
|
|
| ^/usr/bin/ ^/opt/ |
|
|
|
|
146 | Appendix A |
