Host Intrusion Detection System Administrator's Guide Release 3.1

Templates and Alerts
Creation of World-Writable File Template
Appendix A
165
NOTE See Table B-1 in Appendix B for the definition additional arguments that can be used to
access specific alert information (for example, pid and ppid) without having to parse
the string alert fields.
argv[8] Details String User with uid <uid> <performed action
on the file> <full
pathname>(type=<type>,inode=<ino
de>, device<device>) when
executing
<program>(type=<type>,inode=<ino
de>,device=<device>), invoked as
follows: <argv[0]> <argv[1]>..., as
process with pid <pid> and ppid
<ppid> and running with effective
uid=<euid> and with effective
gid=<egid>.
where <performed action on the file> is
set to one of the following:
created the world-writable file
created the world-writable directory
created the world-writable character
special file
created the world-writable block special
file
created the world-writable pipe (fifo) file
renamed the world-writable file
changed the owner of the world-writable
file
enabled the world-writable permission on
file
performed system call <number> on the
file
Detailed alert
description
argv[9] Local Time Integer <secs> Local time in
number of
seconds since
epoch when a
world-writable
file was created
Table A-16 World-Writable File Created Alert Properties (Continued)
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description