Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Creation of Setuid File Template
Appendix A
157
NOTE Refer to Table B-1 in Appendix B for the definition of argv[10] through argv[32] that can
be used to access specific alert information (ie., pid, ppid) without having to parse the
string alert fields above.
Limitations • The template cannot distinguish between whether a file is created or truncated
when creat(2) is invoked.
argv[8] Details String “User with uid <uid> <performed
action on> the file <full
pathname>(type=<type>,inode=<in
ode>, device<device) when
executing
<program>>(type=<type>,inode=<i
node>,device=<device>),invokedas
follows: <argv[0]> <argv[1]>..., as
process with pid <pid> and ppid
<ppid> and running with effective
uid=<euid> and with effective
gid=<egid>.
where <performed action on> is set
to one of the following:
"created the setuid file"
"changed the owner of the setuid
file"
"enabled the setuid bit on file"
"performed system call <number>
on the file"
Detailed alert
description
argv[9] Local Time Integer <secs> Local time in
number of seconds
since epoch when a
privileged setuid
file is created.
Table A-14 Setuid File Created Alert Properties (Continued)
Response
Program
Argument
Alert Field
Alert Field
Type
Alert Value/Format Description