HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Table A-10 File Being Modified Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
• created the file
• created the character special file
• created the directory
• created the block special file
created the pipe (fifo) file
• deleted the file
• deleted the directory
• performed system call <number>
on the file
The event that
triggered the alert.
Following are the possible values:
• File ownership modified
• File permission modified
• File opened for modification
• File created
• File truncated
• File renamed
• File modified
• Hard link created
• Symbolic link created
• Directory created
• Special file created
• File deleted
• Directory deleted
• Miscellaneous event
StringEventargv[9]
NOTE: See Table B-1 (page 194) in Appendix B for the definition of additional
arguments that can be used to access specific alert information (for example, pid and
ppid) without having to parse the string alert fields above.
Limitations
The Modification of files/directories template has the following limitation:
• The template cannot distinguish between a new file being created and an existing
file being opened read-only when open(2) is invoked with the O_CREAT and
O_RDONLY flags. Likewise, the template cannot distinguish between a new file
being created and an existing file being truncated when creat(2) is invoked. This
limitation is less of an issue for creat(2) invocations because creat(2) either
162 Templates and Alerts