Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

Templates and Alerts

Modiﬁcation of Another User’s File Template

Appendix A

170

NOTE See Table B-1 in Appendix B for the deﬁnition of argv[10] through argv[32] which you

can use to access speciﬁc alert information (for example, pid and ppid) without having

to parse the string alert ﬁelds.

Limitations None

argv[8] Details String User with uid <uid> <performed

action on the ﬁle> <full

pathname>(type=<type>,inode=<i

node>, device<device) when

executing

<program>(type=<type>,inode=<i

node>,device=<device>), invoked

as follows: <argv[0]>

<argv[1]>..., as process with pid

<pid> and ppid <ppid> and running

with effective uid=<euid> and with

effective gid=<egid>.

where <performed action on the ﬁle> is

set to one of the following:

changed the owner of

changed the permission of

opened for modiﬁcation/truncation

renamed the ﬁle

created the ﬁle (and overwrote any

existing ﬁle) named

truncated the ﬁle

deleted the ﬁle

deleted the directory

performed system call <number> on the

ﬁle

Detailed alert

description

argv[9] Local Time Integer <secs> Local time in

number of seconds

since epoch when

a world-writable

ﬁle was created

Table A-18 Non-Owned File Being Modiﬁed Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert

Field Type

Alert Value/Format Description