HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Table A-7 File Reference Modification Alert Properties (continued)
DescriptionAlert Value/FormatAlert
Field
Type
Alert FieldResponse
Program
Argument
Detailed alert descriptionFile reference for file
<fullpathname>(type=<type>,
inode=<inode>, device=<device),
has changed unexpectedly for
process with pid <pid> and ppid
<ppid> when executing
<program>>(type= <type>,
inode=<inode>, device=<device>).
Attacker is process <pid> when
executing
<program>>(type=<type>,
inode=<inode>, device=<device>).
StringDetailsargv[8]
The event that triggered
the alert.
nullStringEventargv[9]
NOTE: See Table B-1 (page 194) and Table B-3 (page 197) Appendix B for the definition
of additional arguments that can be used to access specific alert information (for
example, pid and ppid) without parsing the string alert fields.
Privileged setuid Script Executed
This template generates and forwards alerts to a response program when a privileged
setuid script is executed (either directly or through a symbolic link) and the kernel
has honored the setuid bit. Table A-8 lists the alert properties the Privileged setuid
Script Executed template supports.
Table A-8 setuid Script Executed Alert Properties
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to
template
1IntegerTemplate
code
argv[1]
Template version3IntegerVersionargv[2]
Severity alert1 if executed via symbolic
link; otherwise 2
IntegerSeverityargv[3]
UTC time in number of
seconds since the epoch
when a privileged setuid
script was executed
<secs>IntegerUTC timeargv[4]
Race Condition Template 155