HIPS/3/FILEESCALATION

Message

HIPS/3/FILEESCALATION: The file privilege has been escalated. (eventCategory=[event-category], eventType=[event-type], level=[level], occurTime=[occur-time], result=[result], path=[path], method=[method], slot=[slot], card=[card], cpu=[cpu], barcode=[barcode])

In VS mode, this log is supported only by the admin VS.

Description

A file privilege escalation event occurs on the device. After an attacker intrudes a device, the attacker modifies the SUID/SGID bit of an executable file to make the privilege persistent. As a result, the attacker can run high-risk commands even if the attacker logs in to the device as a common user.

Parameters

Parameter Name Parameter Meaning

event-category

Event classification:

1016: NE intrusion alarm

event-type

Event type. The options are as follows:

  • File privilege escalation
  • Unauthorized root user
  • Rootkit attack
  • Key file tampering
  • Shell file tampering

level

Event severity.

occur-time

Event date.

result

Operation result.

path

File path.

method

Privilege escalation mode:

  • SUID
  • SGID
  • Improper Permissions

slot

Slot ID.

card

Subcard ID.

cpu

CPU ID.

barcode

Barcode that uniquely identifies a board.

Possible Causes

The SUID/SGID of the executable file in the system is modified.

Procedure

Isolate the device from the network immediately and submit the log information to Huawei engineers for analysis.

Parent Topic: HIPS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >