McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Solaris Custom Signatures |
Note 1
Relevant (X) directives per section:
directive | file | source | file permission | new permission |
|
|
|
|
|
symlink | X | X | - | X |
|
|
|
|
|
read | X | - | - | - |
|
|
|
|
|
write | X | - | - | - |
|
|
|
|
|
unlink | X | - | - | - |
|
|
|
|
|
rename | X | X | - | - |
|
|
|
|
|
chmod | X | - | X | X |
|
|
|
|
|
chown | X | - | - | - |
|
|
|
|
|
create | X | - | X | X |
|
|
|
|
|
mkdir | X | - | - | - |
|
|
|
|
|
rmdir | X | - | - | - |
|
|
|
|
|
chdir | X | - | - | - |
|
|
|
|
|
Note 2
The value of the sections file permissions and new permissions corresponds to the
Access Control List (acl). These can have values of “SUID” or “SGID” only.
Note 3
The directive Unixfile:link has a different meaning when combined with section files and section source:
Combined with section files, it means that creating a link to the file in the section files is monitored.
Combined with section source, it means that no link can be created with the name as specified in the section source.
Note 4
The directive Unixfile:rename has a different meaning when combined with section files and section source:
Combined with section files, it means that renaming of the file in the section files is monitored.
Combined with section source, it means that no file can be renamed to the file in the section source.
A
182