HP Host Intrusion Detection System (HIDS) manual Modification of Another User’s File Template

Templates and Alerts

Modification of Another User’s File Template

Modification of Another User’s File Template

The vulnerability In many environments, users are expected to be working with their own files. An addressed by this attacker attempting to compromise the security of a system might cause a system

templateprogram to modify various files owned by other system users. Because many daemons run as a particular user, this template may generate an alert when a compromised daemon causes such an attack.

How this template The template, also known as the Not Owned (NO) template, monitors files that are

addresses the deleted, renamed, modified or are open to be modified by users that do not own the files,

vulnerability where a file can be a regular file, a directory, a symbolic link or a special file. Specifically, the template monitors the following modifications or potential modifications of "non-owned" files.

•Monitors for successful attempts to open a regular or special file to write or append, or to truncate the file by users who do not own the file even though the file’s group permissions specifies write permission. Also monitors for successful attempts to delete or rename regular files, directories, symbolic links, or special files.

•Monitors for changes in ownership or file permissions of files by users who do not own the file.

This template does not determine that a file’s contents were changed, only that a change might have been made (i.e., it does not watch the content of the files, only that a file was opened with write permission). Instead of monitoring write(2) calls that modify files, successful opens to write to or truncate the file by non-owners are monitored to provide early detection of processes that might modify files.

How this template This template supports the following properties: is configured