Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Creation and Modification of Setuid File Template
Appendix A
160
NOTE See Table B-1 in Appendix B for the definition of additional arguments that can be used
to access specific alert information (for example, pid and ppid) without having to
parse the string alert fields.
Limitations This template has the following limitations:
• The template cannot always distinguish between when a setuid file is created and
when an existing setuid file is opened for modification with the create flag. The
template can therefore generate an alert that a setuid file was created instead of
argv[8] Details String User with uid <uid> <performed
action on> the file <full
pathname>(type=<type>,inode
=<inode>, device<device)
when executing
<program>>(type=<type>,inod
e=<inode>,device=<device>),
invoked as follows: <argv[0]>
<argv[1]>..., as process with
pid <pid> and ppid <ppid>
and running with effective
uid=<euid> and with effective
gid=<egid>.
where <performed action on> is set
to one of the following:
created the setuid file
changed the owner of the setuid file
enabled the setuid bit on file
performed system call <number>
on the file
opened for modification
truncated the setuid file
Detailed alert
description
argv[9] Local Time Integer <secs> Local time in
number of seconds
since epoch when a
privileged setuid
file was created or
modified.
Table A-14 Setuid File Created / Modified Alert Properties (Continued)
Response
Program
Argument
Alert Field
Alert Field
Type
Alert Value/Format Description