Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Modification of Files/Directories Template
Appendix A
150
argv[8] Details String “User with uid<uid> <performed action on
the file> <full pathname> (type=<type>,
inode=<inode>, device=<device>) when
executing
<program>(type=<type>,inode=<inode>,devi
ce=<device>), invoked as follows:
<argv[0]><argv[1]>..., as process with pid
<pid> and ppid <ppid> and running with
effective uid=<euid> and with effective
gid=<egid>.
where <performed action on the file> is set
to one of the following:
"changed the owner of"
"changed the permission of"
"opened for modification/truncation"
"renamed the file"
"created the file (and overwrote any existing
file) named"
"truncated the file"
"created as a hard link"
"created as a symbolic link"
"created the directory"
"created the file"
"created the character special file"
"created the block special file"
“created the pipe (fifo) file”
"deleted the file"
"deleted the directory"
"performed system call <#> on the file"
Detailed alert
description
argv[9] Local
Time
Integer <secs> Local time in
number of seconds
since epoch when
file is modified.
Table A-10 File Being Modified Alert Properties (Continued)
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description