Templates and Alerts
Changes to Log File Template
Changes to Log File Template
The vulnerability There are certain
templateThe files that store this system information should only be appended to, not overwritten. An attacker will often either modify or delete these files to remove information about their intrusion.
How this template The template, also known as the Append Only (AO) template, monitors a
addresses the list of files for attempts to modify them in any way other than appending to them.
vulnerability Specifically, the template monitors a user specified set of regular files for successful attempts to open a file with write or truncate permission, to delete the file, to rename the file, or to truncate the file.
This template does not monitor changes in ownership or permissions of the file. The template also does not monitor for the creation of a new file. Lastly, this template does not determine that a file’s contents were changed, only that a change might have been made (i.e., it does not watch the content of the files, only that a file was opened with permission other than append). Instead of monitoring write(2) calls that modify files, successful opens to write to the file are monitored to provide early detection of processes that might potentially modify critical files other than appending.
How this template This template supports the following properties: is configured
Table | Template Properties |
|
|
|
|
|
|
| Name | Type | Default Value |
|
|
|
|
| pathnames_to_watch | I | ^/var/adm/btmp$ ^/var/adm/wtmp$ |
|
|
| ^/var/adm/messages$ |
|
|
| ^/var/adm/syslog/mail˙log $ |
|
|
| ^/var/adm/syslog/syslog˙log$ |
|
|
| ^/var/adm/pacct$ ^/var/adm/sulog$ |
|
|
|
|
| pathnames_to_not_watch | I | <empty> |
|
|
|
|
| pathnames_X | II | <empty> |
|
|
|
|
| programs_X | II | <empty> |
|
|
|
|
Properties | • Property: pathnames_to_watch |
| |
| Pathnames of files to be monitored for modification other than appending. |
•Property: pathnames_to_not_watch
Pathnames of files that can be safely ignored for modification, regardless of which program modifies them.
•Properties: pathnames_X, programs_X
152 | Appendix A |