HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

Table A-8 setuid Script Executed Alert Properties (continued)

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse

Program

Argument

The user ID, group ID,

process ID, and parent

process ID of the process

that executed a privileged

setuid script

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

The full path name of the

privileged setuid script

and the script’s type

mode,uid,gid,inode, and

device number

file=<full pathname>,

type=<type>,

mode=<mode>,

uid=<uid>, gid=<gid>,

inode=<inode>,

device=<device>

StringTarget of

Attack

argv[6]

Alert summaryRace condition attack if

script is executed from a

symbolic link. Otherwise,

set to potential race

condition attack.

StringSummaryargv[7]

Detailed alert descriptionUser with <uid> running as

process with pid<pid> and

with parent pid <ppid> is

executing the privileged

setuid script <full

pathname>(type=<type>,

inode=<inode>,

device=<device), invoked as

follows: <argv[0]

argv[1]...,[*perhaps*] from

a symbolic link. Privileged

setuid script owned by a

user with uid <uid>. A

privileged setuid script is

vulnerable to a race

condition attack.

StringDetailsargv[8]

The event that triggered

the alert.

nullStringEventargv[9]

156 Templates and Alerts