Administrator's Guide
Templates and Alerts
Race Condition Template
Appendix A
143
NOTE Refer to Table B-1 in Appendix B for the definition of argv[10] through argv[32] and to
Table B-2 for the definition of argv[33] through argv[41] that can be used to access
specific alert information (ie., pid, ppid) without having to parse the string alert fields
above.
argv[5] Attacker String “uid=<uid>, gid=<gid>,
pid=<pid>, ppid=<ppid>”
The user ID, group ID,
process ID, and parent
process ID of the
process, if known, that
modified a privileged
program’s file reference.
All values set to -1 if
attacker is not known.
argv[6] Target of
Attack
String “file=<full pathname>,
mode=<mode>,uid=<uid>,gid=<g
id>,
inode=<inode>,device=<device>”
The full pathname of
the file whose reference
was modified, and the
file’s mode, uid, gid,
inode, and device
number.
argv[7] Summary String “File reference change” Alert summary
argv[8] Details String “File reference for file <full
pathname>(type=<type>,
inode=<inode>, device=<device),
has changed unexpectedly for
process with pid <pid> and ppid
<ppid> when executing
<program>>(type=<type>,
inode=<inode>,
device=<device>). Attacker is
process <pid> when executing
<program>>(type=<type>,
inode=<inode>,
device=<device>).”
Detailed alert
description
argv[9] Local Time Integer <secs> Local time in number of
seconds since epoch
when an unexpected file
reference is detected.
Table A-7 File Reference Modification Alert Properties (Continued)
Response
Program
Argument
Alert Field
Alert
Field
Type
Alert Value/Format Description