HP Host Intrusion Detection System (HIDS) manual Changes to Log File Template, 152

Templates and Alerts

Changes to Log File Template

Changes to Log File Template

The vulnerability There are certain HP-UX system files that are used to store logs of system activities, addressed by this such as login attempts, commands executed, and miscellaneous system log messages.

templateThe files that store this system information should only be appended to, not overwritten. An attacker will often either modify or delete these files to remove information about their intrusion.

How this template The template, also known as the Append Only (AO) template, monitors a user-defined

addresses the list of files for attempts to modify them in any way other than appending to them.

vulnerability Specifically, the template monitors a user specified set of regular files for successful attempts to open a file with write or truncate permission, to delete the file, to rename the file, or to truncate the file.

This template does not monitor changes in ownership or permissions of the file. The template also does not monitor for the creation of a new file. Lastly, this template does not determine that a file’s contents were changed, only that a change might have been made (i.e., it does not watch the content of the files, only that a file was opened with permission other than append). Instead of monitoring write(2) calls that modify files, successful opens to write to the file are monitored to provide early detection of processes that might potentially modify critical files other than appending.

How this template This template supports the following properties: is configured

•Property: pathnames_to_not_watch

Pathnames of files that can be safely ignored for modification, regardless of which program modifies them.

•Properties: pathnames_X, programs_X