Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Creation and Modification of Setuid File Template
Appendix A
159
Setuid File Created or Modified
Table A-14 lists the alerts that this template generates and forwards the following alerts
to a response program when a setuid file owned by a privileged user is created or
modified.
Table A-14 Setuid File Created / Modified Alert Properties
Response
Program
Argument
Alert Field
Alert Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 4 Unique code
assigned to
template
argv[2] Version Integer 2 Version of the
template
argv[3] Severity Integer 1 Alert Severity
argv[4] UTC Time Integer <secs> UTC time in
number of seconds
since epoch when a
privileged setuid
file was created or
modified
argv[5] Attacker String uid=<uid>, gid=<gid>,
pid=<pid>, ppid=<ppid>
The user ID, group
ID, process ID, and
parent process ID
of the process that
created or modified
the privileged
setuid file
argv[6] Target of
Attack
String file=<full pathname>,
type=<type>,mode=<mode>,uid
=<uid>,gid=<gid>,inode=<ino
de>,device=<device>
The full pathname
of the privileged
setuid file and the
file’s type, mode,
uid, gid, inode,
and device number
argv[7] Summary String setuid file created or
setuid file potentially modified
or
setuid file truncated
or
operation on setuid file
Alert summary