Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Modification of Files/Directories Template
Appendix A
151
NOTE Refer to Table B-1 in Appendix B for the definition of argv[10] through argv[32] that can
be used to access specific alert information (ie., pid, ppid) without having to parse the
string alert fields above.
Limitations • The template cannot distinguish between a new file being created and an existing
file being opened read-only when open(2) is invoked with the O_CREAT and
O_RDONLY flags. Likewise, the template cannot distinguish between a new file
being created and an existing file being truncated when creat(2) is invoked. This
limitation is less of an issue for creat(2) invocations because creat(2) either creates
a new file or truncates an existing file, both of which are conditions for alerts.
• The template cannot detect the change in ownership of a symbolic link using
lchown(2).
• The template cannot detect that a process gains append permission by invoking
fcntl(2) with the F_SETFL and O_APPEND flags.