Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Modification of files/directories Template
Appendix A
154
NOTE See Table B-1 in Appendix B for the definition of additional arguments that can be used
to access specific alert information (for example, pid and ppid) without having to parse
the string alert fields above.
Limitations This template has the following limitations:
• The template cannot distinguish between a new file being created and an existing
file being opened read-only when open(2) is invoked with the O_CREAT and
O_RDONLY flags. Likewise, the template cannot distinguish between a new file
being created and an existing file being truncated when creat(2) is invoked. This
limitation is less of an issue for creat(2) invocations because creat(2) either creates
a new file or truncates an existing file, both of which are conditions for alerts.
• The template cannot detect the change in ownership of a symbolic link using
lchown(2).
• The template cannot detect that a process gains append permission by invoking
fcntl(2) with the F_SETFL and O_APPEND flags.