Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Templates and Alerts

Race Condition Template

Appendix A

145

NOTE See Table B-1 and Table B-2 in Appendix B for the deﬁnition of additional arguments

that can be used to access speciﬁc alert information (for example, pid and ppid) without

having to parse the string alert ﬁelds.

argv[5] Attacker String uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

The user ID, group ID,

process ID, and parent

process ID of the

process, if known, that

modiﬁed a privileged

program’s ﬁle reference.

All values set to -1 if

attacker is not known.

argv[6] Target of

Attack

String file=<full

pathname>,type=<type>,

mode=<mode>,uid=<uid>,gid

=<gid>,inode=<inode>,devi

ce=<device>

The full pathname of

the ﬁle whose reference

was modiﬁed, and the

ﬁle’s type, mode, uid,

gid, inode, and

device number.

argv[7] Summary String File reference change Alert summary.

argv[8] Details String File reference for ﬁle <full

pathname>(type=<type>,

inode=<inode>,

device=<device), has changed

unexpectedly for process with

pid <pid> and ppid <ppid>

when executing

<program>>(type=<type>,

inode=<inode>,

device=<device>). Attacker

is process <pid> when

executing

<program>>(type=<type>,

inode=<inode>,

device=<device>).

Detailed alert

description.

argv[9] Local Time Integer <secs> Local time in number of

seconds since epoch

when an unexpected ﬁle

reference was detected.

Table A-7 File Reference Modiﬁcation Alert Properties (Continued)

Response

Program

Argument

Alert Field

Alert

Field

Type

Alert Value/Format Description