Administrator's Guide
Templates and Alerts
Race Condition Template
Appendix A
142
Properties • Property: priv_uid_list
A list of system-level user IDs.
This list should contain those users that are considered to have elevated access to
the system. Removing any of these means that an attack against one of those users
will not be detected by this template.
• Property: pathnames_to_not_watch
Pathnames of programs that can be safely ignored.
Any race condition alert for a file whose pathname is matched by a regular
expression in the pathnames_to_not_watch property will be filtered out and not
reported. This property can be used to filter alerts generated when a privileged
setuid script is excecuted; the full pathname of the script needs to be specified.
• Properties: pathnames_X, programs_X
These properties can be used to filter out race condition alerts generated when a
particular program modifies the file reference of a privileged program for a
particular file. See “Type II: Pathnames/Programs Pairs” on page 130 for a detailed
description of these property pairs.
Alerts generated
by this template
• “File Reference Modification” on page 142
• “Privileged Setuid Script Executed” on page 144
File Reference Modification
This template generates and forwards the following alert to a response program when
the file reference in a privileged program is modified unexpectedly:
Table A-7 File Reference Modification Alert Properties
Response
Program
Argument
Alert Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 1 Unique code assigned to
template
argv[2] Version Integer 2 Version of the template
argv[3] Severity Integer 1 Critical severity
argv[4] UTC Time Integer <secs> UTC time in number of
seconds since epoch
when an unexpected file
reference is detected.