Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Modification of Another User’s File Template
Appendix A
164
Properties These fields need to be configured based on the individual machine configuration and
usage.
• Property: pathnames_to_not_watch
Pathnames of files that can be safely ignored if they are modified by non-owners.
• Property: uids_to_ignore
User ids in this list will allow those users to modify files they do not own without
generating an alert. It is recommended that this property is left blank unless
specifically needed.
• Property: uid_pairs_to_ignore
A list of user ids pairs where an alert is not generated if the effective uid of the
process modifying this file matches the first member of a pair and the owner of the
file being modified matches the corresponding second member of the pair. For
example, the pair [0,1] causes all alerts where user root (uid 0) modifies files owned
by user bin (uid 1) to be filtered.
• Properties: pathnames_X, programs_X
These properties can be used to filter out alerts generated when a particular
program modifies a particular file owned by another user. See“Type II:
Pathnames/Programs Pairs” on page 130 for a detailed description of these property
pairs.
Alerts generated
by this template
• “Non-owned File Being Modified” on page 164
Non-owned File Being Modified
This template generates and forwards the following alerts to a response program when a
file is modified by someone other the owner:
Table A-18 Non-owned File Being Modified Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field Type
Alert Value/Format Description
argv[1] Template
code
Integer 6 Unique code
assigned to
template
argv[2] Version Integer 2 Version of the
template
argv[3] Severity Integer 2 if the file is truncated, potentially
truncated, deleted, or renamed.
3 if the file’s mode or ownership is
modified, or the file is opened for
writing or appending.
Severity