Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Modification of Another User’s File Template
Appendix A
168
Properties Configure the following properties based on the individual machine configuration and
usage.
• Property: pathnames_to_not_watch
Pathnames of files that can be safely ignored if they are modified by non-owners.
• Property: uids_to_ignore
Users running with an effective uid equal to a user ID in this list can modify files
they do not own without generating an alert. It is recommended that this property is
left blank unless specifically needed.
• Property: uid_pairs_to_ignore
A list of user ID pairs in which an alert is not generated if the effective uid of the
process modifying this file matches the first member of a pair, and the owner of the
file being modified matches the corresponding second member of the pair. For
example, the pair [0,1] causes all alerts where a process with effective uid 0 (root)
modifies files owned by user bin (uid 1) to be filtered.
• Properties: pathnames_X, programs_X
These properties can be used to filter out alerts generated when a particular
program modifies a particular file owned by another user. See“Type II: Path
Names/Programs Pairs” on page 132 for a detailed description of these property
pairs.
Alerts generated
by this template
See “Non-Owned File Being Modified” on page 168 for more information about the alerts
generated by this template.
Non-Owned File Being Modified
Table A-18 lists the alerts that this template generates and forwards to a response
program when a file is modified by someone other the owner.
programs_X II <empty>
Table A-17 Modification of Another User’s File Template Properties (Continued)
Name Type Default Value
Table A-18 Non-Owned File Being Modified Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field Type
Alert Value/Format Description
argv[1] Template
code
Integer 6 Unique code
assigned to
template
argv[2] Version Integer 2 Version of the
template