HPE Community
Operating System - HP-UX
1825771 Members
2124 Online
109687 Solutions
New Discussion

Re: Alert 29 in IDS-9000 on file /dev/diag/diag2

 
SOLVED
Go to solution
Richard Falt
Occasional Advisor

‎07-05-2001 10:55 AM

‎07-05-2001 10:55 AM

Alert 29 in IDS-9000 on file /dev/diag/diag2

I have just recently installed IDS-9000 on my L1 9000 server running HP-UX 11.00.

I get an enormous amount of alerts (code 29) for a file /dev/diag/diag2.

Is is safe to exclude this file in the template?

Sincerely,

Richard Falt
0 Kudos
Reply
5 REPLIES 5
Theresa Patrie
Regular Advisor

‎01-06-2003 04:47 AM

‎01-06-2003 04:47 AM

Re: Alert 29 in IDS-9000 on file /dev/diag/diag2

Richard,
I am now seeing the same thing having just installed IDS. What did you find out about this?
Thanks,
Theresa
This is my easy job!
0 Kudos
Reply
Richard Falt
Occasional Advisor

‎01-06-2003 05:24 AM

‎01-06-2003 05:24 AM

Re: Alert 29 in IDS-9000 on file /dev/diag/diag2

Theresa,
I never received a "good" answer but I went ahead and excluded this file.

Richard
0 Kudos
Reply
Steve Steel
Honored Contributor

‎01-06-2003 05:32 AM

‎01-06-2003 05:32 AM

Solution

Re: Alert 29 in IDS-9000 on file /dev/diag/diag2

Hi


See
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x4d817d4cf554d611abdb0090277a778c,00.html

It points you to the good documentation.


The following list maps the Code values to the name of the detection
template that generates them.
Code Detection Template
5 Buffer overflow attacks
6 Race condition attacks
9 Creation of SetUID files
13 Creation of world-writable files
15 Repeated failed su commands
16 Repeated failed logins
27 Modification of files/directories
28 Changes to log files
29 Modification of another user???s files
30 Monitor start of interactive sessions
31 Monitor logins/logouts


As you can see an alert 29 comes when this file is accessed by a not owner so excluding is best

Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
Reply
Pierre Pasturel_1
Occasional Advisor

‎01-09-2003 01:34 PM

‎01-09-2003 01:34 PM

Re: Alert 29 in IDS-9000 on file /dev/diag/diag2

Does your alert detail for these alerts specify which program modified a non-owned file?

Can you post the entire alert detail for one of these alerts?

Pierre


0 Kudos
Reply
Pierre Pasturel_1
Occasional Advisor

‎01-15-2003 12:14 PM

‎01-15-2003 12:14 PM

Re: Alert 29 in IDS-9000 on file /dev/diag/diag2

I believe you are seeing alerts for memlogd (running as root) opening for read/write /dev/diag/diag2 (owned by bin). Although memlogd is not actually modifying the file (it is making an ioctl call to get info about the system), we do flag *potential* modification by non-owner users, which include opening files with write permission.

Instead of excluding /dev/diag/diag2 by putting it in the "Ignore changes to these files" property of the "Modificaton of another user's files" template, it would be better to add /dev/diag/diag2 to one of the "Files modified by Program X" template and add the full pathname of memlogd in the corresponding "Program List X," where X can equal 1, 2, or 3.

We will be updating the default template property values to reduce some of these alerts in our upcoming V2.2 available in late Spring/early Summer.

Pierre

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.