Host Intrusion Detection System Administrator's Guide Release 3.0

Templates and Alerts

Modiﬁcation of Another User’s File Template

Appendix A

165

argv[4] UTC Time Integer <secs> UTC time in

number of seconds

since epoch when

a ﬁle is modiﬁed

by a non-owner

argv[5] Attacker String “uid=<uid>, gid=<gid>, pid=<pid>,

ppid=<ppid>”

Theuser ID, group

ID, process ID,

and parent

process ID of the

process that

modiﬁed the ﬁle

argv[6] Target of

Attack

String “ﬁle=<full pathname>,

mode=<mode>,uid=<uid>,gid=<gid>,

inode=<inode>,device=<device>”

The full pathname

of the ﬁle and the

ﬁle’s mode, uid,

gid, inode, and

device number

argv[7] Summary String “Non-owned ﬁle being modiﬁed” Alert summary

Table A-18 Non-owned File Being Modiﬁed Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert

Field Type

Alert Value/Format Description