Templates and Alerts

Creation of Setuid File Template

Creation of Setuid File Template

The vulnerability A setuid file is one that, if executed, will operate with the permissions of the owner of the addressed by this file, not of the person executing the file. One of the frequent back doors that an intruder

templatewill install on a system is the creation of a copy of the /bin/sh program that is setuid root. Such a file allows any command to be executed as the superuser.

How this template The Setuid (SUID) template detects the creation of files with setuid privileges owned by

addresses the privileged users by monitoring for the following: vulnerability

Modification of the file permissions to enable the setuid bit on a file owned by a privileged user.

Changing the owner of a setuid file to be owned by a privileged user.

Creation of a file that has the setuid bit set and owned by a privileged user.

By detecting the creation of a setuid file as soon as it occurs, the template can provide a timely security report to an administrator regarding a potential security intrusion. There are no known mechanisms in existence for the HP-UX operating system that can provide a near real-time report of the creation of setuid files.

How this template This template supports the following properties: is configured

Table A-13

Template Properties

 

 

 

 

 

 

 

Name

Type

Default Value

 

 

 

 

 

priv_uid_list

III

0 1 2 3 4 5 9 11

 

 

 

 

 

pathnames_X

II

<empty>

 

 

 

 

 

programs_X

II

<empty>

 

 

 

 

Properties

Property: priv_uid_list

 

 

A list of system-level user IDs.

 

This list should contain those users that are considered to have elevated access to the system. Removing any of these means that the creation of a setuid file owned by one of those users will not be detected by this template.

Properties: pathnames_X, programs_X

These properties can be used to filter out alerts generated when a particular program creates or enables a particular privileged setuid file. See “Type II: Pathnames/Programs Pairs” on page 130 for a detailed description of these property pairs.

Alerts generated

• “Setuid File Created” on page 156

by this template

 

Appendix A

155

Page 167
Image 167
HP Host Intrusion Detection System (HIDS) manual Creation of Setuid File Template, Table A-13 Template Properties