Week of OSSEC Day 1: Detecting World-Writable Files

Home > Intrusion Detection, Log Analysis > Week of OSSEC Day 1: Detecting World-Writable Files

Week of OSSEC Day 1: Detecting World-Writable Files

October 25th, 2009 Michael Starks Leave a comment Go to comments

The rootcheck component of OSSEC does a good job at detecting files owned by root and which are world-writable. This is a dangerous situation since it can lead to a non-privileged user obtaining root.

Although root owned files are potentially the most dangerous, it’s not only world-writable files owned by root which can lead to bad things. Any time a file is created with o+w permissions, there is potential for harm. Just think about what a local, non-privileged user could do to your web site if they had that access.

Fortunately, OSSEC can detect any changes to this dangerous set of permissions as long as syscheck is monitoring the location (at least for ‘nix). Just add these two rules to your local_rules.xml file (be sure to check for a conflicting rule ID):

<rule id=”100018″ level=”7″>

<if_group>syscheck,</if_group>

<regex>Permissions changed from ‘\D+’ to ‘\D\D\D\D\D\D\Dw\D’</regex>

<description>World-writable File</description>

</rule>

<rule id=”100019″ level=”0″>

<if_sid>100018</if_sid>

<regex>Permissions changed from ‘\D\D\D\D\D\D\Dw\D’ to ‘\D+’</regex>

<description>World-writable File</description>

</rule>

<rule id=”100018″ level=”7″>

<if_group>syscheck,</if_group>

<regex>Permissions changed from ‘\D+’ to ‘\D\D\D\D\D\D\Dw\D’</regex>

<description>World-writable File</description>

</rule>

<rule id=”100019″ level=”0″>

<if_sid>100018</if_sid>

<regex>Permissions changed from ‘\D\D\D\D\D\D\Dw\D’ to ‘\D+’</regex>

<description>World-writable File</description>

</rule>

Perhaps you’re thinking, “why two rules? Wouldn’t one suffice?” Well, one rule will tell you that the permissions changed on a file which could have already been world-writable, so you’ll get alerts for a condition that already existed. The second rule (level 0) basically says, “if the file was already world-writable, don’t bother logging it or alerting me.”

With the i-notify based real time alerting, these rules will allow you to keep tight tabs on your system users. You’ll know right away when someone is creating a potentially unsafe situation.