Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Race Condition Template
Appendix A
144
Properties The properties of this template are described below:
• Property: priv_uid_list
A list of system-level user IDs.
This list should contain those users who are considered to have elevated access to
the system. Removing any of these means that an attack against one of those users
will not be detected by this template. Only programs that run with an effective user
ID equal to one of the listed uids will be monitored, and only the execution of
setuid scripts owned by a user listed in this property will generate an alert.
• Property: pathnames_to_not_watch
Pathnames of programs that can be safely ignored.
Any race condition alert for a file whose pathname is matched by a regular
expression in the pathnames_to_not_watch property is filtered out and not
reported. You can use this property to filter alerts generated when a privileged
setuid script is excecuted. You must specify the full path name of the script.
• Properties: pathnames_X, programs_X
You can use these properties to filter out race condition alerts generated when a
particular program modifies the file reference of a privileged program for a
particular file. See “Type II: Path Names/Programs Pairs” on page 132 for a detailed
description of these property pairs.
Alerts generated
by this template
• “File Reference Modification” on page 144
• “Privileged setuid Script Executed” on page 146
File Reference Modification
Table A-7 lists the alerts that this template generates and forwards to a response
program when the file reference in a privileged program is modified unexpectedly.
Table A-7 File Reference Modification Alert Properties
Response
Program
Argument
Alert Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 1 Unique code assigned to
template.
argv[2] Version Integer 2 Version of the template.
argv[3] Severity Integer 1 Alert severity.
argv[4] UTC Time Integer <secs> UTC time in number of
seconds since epoch
when an unexpected file
reference was detected.