Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP Host Intrusion Detection System (HIDS)

161

162

163

164

165

166

167

168

169

170

Templates and Alerts

Changes to Log File Template

Appendix A

154

NOTE Refer to Table B-1 in Appendix B for the deﬁnition of argv[10] through argv[32] that can

be used to access speciﬁc alert information (i.e., pid, ppid) without having to parse the

string alert ﬁelds above.

Limitations • The template cannot distinguish between whether a ﬁle is created or truncated

when creat(2) is invoked.

argv[8] Details String “User with uid <uid> <performed

action on the ﬁle> <full

pathname>(type=<type>,inode=<inod

e>, device<device>) when executing

<program>(type=<type>,inode=<inod

e>,device=<device>), invoked as

follows: <argv[0]> <argv[1]>..., as

process with pid <pid> and ppid

<ppid> and running with effective

uid=<euid> and with effective

gid=<egid>.

where <performed action on the ﬁle>

is set to one of the following:

"opened for modiﬁcation/truncation"

"deleted the ﬁle"

"deleted the directory"

"performed system call <value> on

the ﬁle"

"renamed the ﬁle"

"truncated the ﬁle"

"created the ﬁle (and overwrote any

existing ﬁle) named"

Detailed alert

description

argv[9] Local Time Integer <secs> Local time in

number of seconds

since epoch when

ﬁle is modiﬁed

Table A-12 Append-Only File Being Modiﬁed Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert Field

Type

Alert Value/Format Description