Information on the Disk and Memory Access check of the Object Integrity module on Unix
| Article:TECH138886 | | | Created: 2010-09-01 | | | Updated: 2012-01-24 | | | Article URL http://www.symantec.com/docs/TECH138886 |
Problem
You want to know what devices get checked by this feature.
Solution
In the current object module, the ESM distinguishes the disk or memory device files by their major number. You can use the “Name To Major” template to define disk or memory device major number in addition to the well-known disk or memory device files. So, in this case, the /dev/full is treated as either disk or memory device file by its major number.
About the risk of world writable device file like /dev/full on HPUX, the answer is it depends on the purpose of the device file. Excluding /dev/full from this check shouldn't be a problem. It's purpose is to generate an out of space error whenever written to for testing error conditions.
For example, /dev/null and /dev/zero are also fine with world writable. But the /dev/kmem is not.
Therefore, you can use the name list in the “Exclude devices” check to exclude the device files from the “Disk and memory access” check such as /dev/full. The /dev/dtremote, /dev/null, and /dev/zero are already excluded from the check “Disk and memory access” by the ESM.
|
|
Article URL http://www.symantec.com/docs/TECH138886
Terms of use for this information are found in Legal Notices
Thank you.