The rootcheck component of OSSEC does a good job at detecting files owned by root and which are world-writable. This is a dangerous situation since it can lead to a non-privileged user obtaining root.
Although root owned files are potentially the most dangerous, it’s not only world-writable files owned by root which can lead to bad things. Any time a file is created with o+w permissions, there is potential for harm. Just think about what a local, non-privileged user could do to your web site if they had that access.
Fortunately, OSSEC can detect any changes to this dangerous set of permissions as long as syscheck is monitoring the location (at least for ‘nix). Just add these two rules to your local_rules.xml file (be sure to check for a conflicting rule ID):
<rule id=”100018″ level=”7″>
<regex>Permissions changed from ‘\D+’ to ‘\D\D\D\D\D\D\Dw\D'</regex>
<rule id=”100019″ level=”0″>
<regex>Permissions changed from ‘\D\D\D\D\D\D\Dw\D’ to ‘\D+'</regex>
Perhaps you’re thinking, “why two rules? Wouldn’t one suffice?” Well, one rule will tell you that the permissions changed on a file which could have already been world-writable, so you’ll get alerts for a condition that already existed. The second rule (level 0) basically says, “if the file was already world-writable, don’t bother logging it or alerting me.”
With the i-notify based real time alerting, these rules will allow you to keep tight tabs on your system users. You’ll know right away when someone is creating a potentially unsafe situation.