Administrator's Guide
Templates and Alerts
Changes to Log File Template
Appendix A
153
These properties can be used to filter out alerts generated when a particular
program modifies a particular file other than appending . See “Type II:
Pathnames/Programs Pairs” on page 130 for a detailed description of these property
pairs.
Alerts generated
by this template
• “Append-Only File Being Modified” on page 153
Append-Only File Being Modified
This template generates and forwards the following alerts to a response program when a
file is modified in a way other than being appended to:
Table A-12 Append-Only File Being Modified Alert Properties
Response
Program
Argument
Alert
Field
Alert Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 3 Unique code
assigned to
template
argv[2] Version Integer 2 Version of the
template
argv[3] Severity Integer 2 Severity
argv[4] UTC Time Integer <secs> UTC time in
number of seconds
since epoch when
file is modified.
argv[5] Attacker String “uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>”
Theuser ID, group
ID, process ID,
and parent
process ID of the
process that
modified the file
argv[6] Target of
Attack
String “file=<full pathname>,
mode=<mode>,uid=<uid>,gid=<gid>,
inode=<inode>,device=<device>”
The full pathname
of the file that was
modified and the
file’s mode, uid,
gid, inode, and
device number.
argv[7] Summary String “Append-only file modified or
potentially modified”
Alert summary