Week of OSSEC Day 1: Detecting World-Writable Files

The rootcheck component of OSSEC does a good job at detecting files owned by root and which are world-writable. This is a dangerous situation since it can lead to a non-privileged user obtaining root.

Although root owned files are potentially the most dangerous, it’s not only world-writable files owned by root which can lead to bad things. Any time a file is created with o+w permissions, there is potential for harm.  Just think about what a local, non-privileged user could do to your web site if they had that access.

Fortunately, OSSEC can detect any changes to this dangerous set of permissions as long as syscheck is monitoring the location (at least for ‘nix). Just add these two rules to your local_rules.xml file (be sure to check for a conflicting rule ID):

<rule id=”100018″ level=”7″>
<if_group>syscheck,</if_group>
<regex>Permissions changed from ‘\D+’ to ‘\D\D\D\D\D\D\Dw\D'</regex>
<description>World-writable File</description>
</rule>
<rule id=”100019″ level=”0″>
<if_sid>100018</if_sid>
<regex>Permissions changed from ‘\D\D\D\D\D\D\Dw\D’ to ‘\D+'</regex>
<description>World-writable File</description>
</rule>

<rule id=”100018″ level=”7″>

<if_group>syscheck,</if_group>

<regex>Permissions changed from ‘\D+’ to ‘\D\D\D\D\D\D\Dw\D'</regex>

<description>World-writable File</description>

</rule>

<rule id=”100019″ level=”0″>

<if_sid>100018</if_sid>

<regex>Permissions changed from ‘\D\D\D\D\D\D\Dw\D’ to ‘\D+'</regex>

<description>World-writable File</description>

</rule>

Perhaps you’re thinking, “why two rules? Wouldn’t one suffice?” Well, one rule will tell you that the permissions changed on a file which could have already been world-writable, so you’ll get alerts for a condition that already existed. The second rule (level 0) basically says, “if the file was already world-writable, don’t bother logging it or alerting me.”

With the i-notify based real time alerting, these rules will allow you to keep tight tabs on your system users. You’ll know right away when someone is creating a potentially unsafe situation.

Posted in Intrusion Detection, Log Analysis Tagged with:
One comment on “Week of OSSEC Day 1: Detecting World-Writable Files
  1. ddpbsd says:

    Awesome rules. Didn’t know I could even do that!

3 Pings/Trackbacks for "Week of OSSEC Day 1: Detecting World-Writable Files"
  1. […] I posted a tip on how OSSEC could alert you to world-writable files. That’s important to know since those files often lead to exploitable […]

  2. […] This post was mentioned on Twitter by Daniel Cid, George K.. George K. said: RT @danielcid Week of OSSEC part 1,2,3: http://bit.ly/3wUXKz http://bit.ly/3Y1ct4 http://bit.ly/32InXX […]

  3. […] year I spoke at a conference on OSSEC and, in celebration, decided to create an entire week of blog posts about OSSEC. It was received pretty well. A few people were even […]

Leave a Reply

Your email address will not be published. Required fields are marked *

*