HIPS/3/KEYFILETAMPERING

Message

HIPS/3/KEYFILETAMPERING: The file has been created or modified. (eventCategory=[event-category], eventType=[event-type], level=[level], occurTime=[occur-time], result=[result], user=[user], loginTime=[login-time], visitorIp=[visitor-ip], path=[file-path], operationType=[operation-type], processPath=[process-path], type=[attribute-type], from=[old-attribute], to=[new-attribute], slot=[slot], card=[card], cpu=[cpu], barcode=[barcode])

In VS mode, this log is supported only by the admin VS.

Description

A key file is tampered with. After successful intrusion, attackers may modify key files (such as /etc/passwd, startup script files, contab files, and key programs) or leave malicious files to threaten devices.

Parameters

Parameter Name Parameter Meaning

event-category

Event classification:

1016: NE intrusion alarm

event-type

Event type. The options are as follows:

  • File privilege escalation
  • Unauthorized root user
  • Rootkit attack
  • Key file tampering
  • Shell file tampering

level

Event severity.

occur-time

Event date.

result

Operation result.

user

Operator.

login-time

Login time.

visitor-ip

Login IP.

file-path

Path of the file to be operated.

operation-type

Operation type.

process-path

Path of the process that operates the file.

attribute-type

Attribute change type.

old-attribute

Old attribute.

new-attribute

New attribute.

slot

Slot ID.

card

Subcard ID.

cpu

CPU ID.

barcode

Barcode that uniquely identifies a board.

Possible Causes

Key files are tampered with.

Procedure

Isolate the device from the network immediately and submit the log information to Huawei engineers for analysis.

Parent Topic: HIPS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >