Templates and Alerts

Changes to Log File Template

Changes to Log File Template

The vulnerability There are certain HP-UX system files that are used to store logs of system activities, addressed by this such as login attempts, commands executed, and miscellaneous system log messages.

templateThe files that store this system information should only be appended to, not overwritten. An attacker will often either modify or delete these files to remove information about their intrusion.

How this template The template, also known as the Append Only (AO) template, monitors a user-defined

addresses the list of files for attempts to modify them in any way other than appending to them.

vulnerability Specifically, the template monitors a user specified set of regular files for successful attempts to open a file with write or truncate permission, to delete the file, to rename the file, or to truncate the file.

This template does not monitor changes in ownership or permissions of the file. The template also does not monitor for the creation of a new file. Lastly, this template does not determine that a file’s contents were changed, only that a change might have been made (i.e., it does not watch the content of the files, only that a file was opened with permission other than append). Instead of monitoring write(2) calls that modify files, successful opens to write to the file are monitored to provide early detection of processes that might potentially modify critical files other than appending.

How this template This template supports the following properties: is configured

Table A-11

Template Properties

 

 

 

 

 

 

 

Name

Type

Default Value

 

 

 

 

 

pathnames_to_watch

I

^/var/adm/btmp$ ^/var/adm/wtmp$

 

 

 

^/var/adm/messages$

 

 

 

^/var/adm/syslog/mail˙log $

 

 

 

^/var/adm/syslog/syslog˙log$

 

 

 

^/var/adm/pacct$ ^/var/adm/sulog$

 

 

 

 

 

pathnames_to_not_watch

I

<empty>

 

 

 

 

 

pathnames_X

II

<empty>

 

 

 

 

 

programs_X

II

<empty>

 

 

 

 

Properties

Property: pathnames_to_watch

 

 

Pathnames of files to be monitored for modification other than appending.

Property: pathnames_to_not_watch

Pathnames of files that can be safely ignored for modification, regardless of which program modifies them.

Properties: pathnames_X, programs_X

152

Appendix A

Page 164
Image 164
HP Host Intrusion Detection System (HIDS) manual Changes to Log File Template, Table A-11 Template Properties, 152