Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Modification of files/directories Template
Appendix A
153
argv[8] Details String User with uid<uid> <performed action on
the file> <full pathname>
(type=<type>, inode=<inode>,
device=<device>) when executing
<program>(type=<type>,inode=<inode
>,device=<device>), invoked as follows:
<argv[0]><argv[1]>..., as process with
pid <pid> and ppid <ppid> and running
with effective uid=<euid> and with
effective gid=<egid>.
where <performed action on the file> is set
to one of the following:
changed the owner of
changed the permission of
opened for modification/truncation
renamed the file
created the file (and overwrote any existing
file) named
truncated the file
created as a hard link
created as a symbolic link
created the directory
created the file
created the character special file
created the block special file
created the pipe (fifo) file
deleted the file
deleted the directory
performed system call <number> on the file
Detailed alert
description
argv[9] Local
Time
Integer <secs> Local time in
number of seconds
since epoch when
file was modified.
Table A-10 File Being Modified Alert Properties (Continued)
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description