Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Templates and Alerts

Changes to Log File Template

Appendix A

157

NOTE See Table B-1 in Appendix B for the deﬁnition of argv[10] through argv[32] which you

use to access speciﬁc alert information (for example, pid and ppid) without having to

parse the string alert ﬁelds above.

Limitations The template cannot distinguish between whether a ﬁle is created or truncated when

creat(2) is invoked.

argv[8] Details String User with uid <uid> <performed

action on the ﬁle> <full

pathname>(type=<type>,inode=<inod

e>, device<device>) when executing

<program>(type=<type>,inode=<inod

e>,device=<device>), invoked as

follows: <argv[0]> <argv[1]>..., as

process with pid <pid> and ppid

<ppid> and running with effective

uid=<euid> and with effective

gid=<egid>.

where <performed action on the ﬁle>

is set to one of the following:

opened for modiﬁcation/truncation

deleted the ﬁle

deleted the directory

performed system call <number> on

the ﬁle

renamed the ﬁle

truncated the ﬁle

created the ﬁle (and overwrote any

existing ﬁle) named

Detailed alert

description

argv[9] Local Time Integer <secs> Local time in

number of seconds

since epoch when

ﬁle was modiﬁed

Table A-12 Append-Only File Being Modiﬁed Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert Field

Type

Alert Value/Format Description