HP Host Intrusion Detection System (HIDS) Creation of Setuid File Template, Alerts generated

Templates and Alerts

Creation of Setuid File Template

Creation of Setuid File Template

The vulnerability A setuid file is one that, if executed, will operate with the permissions of the owner of the addressed by this file, not of the person executing the file. One of the frequent back doors that an intruder

templatewill install on a system is the creation of a copy of the /bin/sh program that is setuid root. Such a file allows any command to be executed as the superuser.

How this template The Setuid (SUID) template detects the creation of files with setuid privileges owned by

addresses the privileged users by monitoring for the following: vulnerability

•Modification of the file permissions to enable the setuid bit on a file owned by a privileged user.

•Changing the owner of a setuid file to be owned by a privileged user.

•Creation of a file that has the setuid bit set and owned by a privileged user.

By detecting the creation of a setuid file as soon as it occurs, the template can provide a timely security report to an administrator regarding a potential security intrusion. There are no known mechanisms in existence for the HP-UX operating system that can provide a near real-time report of the creation of setuid files.

How this template This template supports the following properties: is configured

This list should contain those users that are considered to have elevated access to the system. Removing any of these means that the creation of a setuid file owned by one of those users will not be detected by this template.

•Properties: pathnames_X, programs_X

These properties can be used to filter out alerts generated when a particular program creates or enables a particular privileged setuid file. See “Type II: Pathnames/Programs Pairs” on page 130 for a detailed description of these property pairs.