Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Templates and Alerts

Modiﬁcation of Another User’s File Template

Appendix A

166

NOTE Refer to Table B-1 in Appendix B for the deﬁnition of argv[10] through argv[32] that can

be used to access speciﬁc alert information (ie., pid, ppid) without having to parse the

string alert ﬁelds above.

Limitations None

argv[8] Details String “User with uid <uid> <performed action

on the ﬁle> <full

pathname>(type=<type>,inode=<inode

>, device<device) when executing

<program>(type=<type>,inode=<inode>

,device=<device>), invoked as follows:

<argv[0]> <argv[1]>..., as process with

pid <pid> and ppid <ppid> and running

with effective uid=<euid> and with

effective gid=<egid>.

where <performed action on the ﬁle> is

set to one of the following:

"changed the owner of"

"changed the permission of"

"opened for modiﬁcation/truncation"

"renamed the ﬁle"

"created the ﬁle (and overwrote any

existing ﬁle) named"

"truncated the ﬁle"

"deleted the ﬁle"

"deleted the directory"

"performed system call <number> on

the ﬁle”

Detailed alert

description

argv[9] Local Time Integer <secs> Local time in

number of seconds

since epoch when

a world writable

ﬁle is created

Table A-18 Non-owned File Being Modiﬁed Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert

Field Type

Alert Value/Format Description