HP-UX Host Intrusion Detection System Version 4.2 Administration Guide
Table A-13 Append-Only File Being Modified Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse
Program
Argument
The user ID, group ID,
process ID, and parent
process ID of the process
that modified the file
uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>
StringAttackerargv[5]
The full path name of the
file that was modified and
the file’s type, mode, uid,
gid, inode, and device
number.
file=<full pathname>, type=<type>,
mode=<mode>, uid=<uid>,
gid=<gid>, inode=<inode>,
device=<device>
StringTarget of attackargv[6]
Alert summaryAppend-only file modified or
potentially modified
StringSummaryargv[7]
Detailed alert descriptionUser with uid <uid> <performed
action on the file> <full pathname>
(type=<type>, inode=<inode>,
device<device>) when executing
<program>
(type=<type>,inode=<inode>
,device=<device>), invoked as
follows: <argv[0]> <argv[1]>..., as
process with pid <pid> and ppid
<ppid> and running with effective
uid=<euid> and with effective
gid=<egid>.where <performed
action on the file> is set to one of
the following:
• opened for
modification/truncation
• deleted the file
• deleted the directory
• performed system call
number
on the file
• renamed the file
• truncated the file
• created the file (and overwrote
any existing file) named
StringDetailsargv[8]
The event that triggered
the alert.
Following are the possible values:
• File opened for modification
• File renamed
• File created
• File modified
• File truncated
• Hard link created
• File deleted
• Directory deleted
• Miscellaneous event
StringEventargv[9]
Failed Attempt to Modify Append-Only Files
Table A-14 “Failed Attempt to Modify Append-Only File Alert Properties” lists the alert properties
this template generates and forwards to a response program when files monitored by the Changes
to Log File template are unsuccessfully modified in a way other than being appended to.
All other alert properties for failed attempts are listed in Table A-13 (page 135).
136 Templates and Alerts