HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
the absolute minimum necessary. For more information, see “Writing Privileged
Response Programs” (page 202).
5. When a response program is started, the agent process provides it with a set of
environment variables listed in Table B-7, and passes the alert information as
program arguments listed in Table B-1. Tables B-1 to B-6 for the alert information
passed as arguments 0 through 9 for each template.
Table B-1 Additional Arguments Passed to Response Programs for Kernel Template
Alerts
DescriptionAlert
Value/Format
Alert Field
Type
Alert FieldResponse
Program
Argument
System call number that
triggered the alert. Corresponds
to a number defined in
scall_define.h.
<syscall#>
IntegerSystem Call #
argv[10]
Process ID (pid) of the attacker
<pid>
IntegerAttacker
Process ID
argv[11]
Parent process ID (ppid) of the
attacker
<ppid>
IntegerAttacker
Parent Process
ID
argv[12]
User ID (uid) of the attacker
<uid>
IntegerAttacker User
ID
argv[13]
Group ID (gid) of the attacker
<gid>
IntegerAttacker
Group ID
argv[14]
Effective user ID (euid) of the
attacker
<euid>
IntegerAttacker
Effective User
ID
argv[15]
Effective group ID (egid) of the
attacker
<egid>
IntegerAttacker
Effective
Group ID
argv[16]
Full pathname of the file under
attack
<full
pathname>
StringPathname of
Target File
argv[17]
File type of the file under attack.
Corresponds to an enum vtype
value defined in vnode.h.
<type>
IntegerTarget File
Type
argv[18]
Mode of file under attack
<mode>(decimal)
IntegerTarget File
Mode
argv[19]
Owner of the file (uid) under
attack
<uid>
IntegerTarget File
Owner
argv[20]
Group of the file (gid) under
attack
<gid>
IntegerTarget File
Group
argv[21]
194 Automated Response for Alerts