HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

131

132

133

134

135

136

137

138

139

140

Table A-16 Setuid File Created / Modified Alert Properties (continued)

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse

Program

Argument

Detailed alert descriptionUser with uid <uid> <performed

action on>

the file ><full

pathname>(type=<type>,

inode=<inode>, device<device)

when executing <program>

(type=<type>, inode=<inode>,

device=<device>), invoked as

follows: <argv[0]> <argv[1]>..., as

process with pid <pid> and ppid

<ppid> and running with effective

uid=<euid> and with effective

gid=<egid>.where <performed

action on> is set to one of the

following:

• created the setuid or setgid

file

• changed the owner of the

setuid file, or changed the

group of the setgid file.

• enabled the setuid or

setgid bit on file

• performed system call

<number> on the file

• opened for modification

• truncated the setuid or

setgid file

StringDetailsargv[8]

The event that triggered the

alert.

Following are the possible values:

• File truncated

• File created

• File modified

• Miscellaneous event

StringEventargv[9]

NOTE: See Table B-1 (page 161) for the definition of additional arguments that can be used to

access specific alert information (for example, pid and ppid) without parsing the string alert

fields.

Limitations

The setuid/setgid file template has the following limitations:

• The template cannot always distinguish whether a setuid (or setgid) file is created and

whether an existing setuid (or setgid) file is opened for modification with the create flag.

The template can generate an alert that a setuid (or setgid) file was created rather than

generating an alert that a setuid (or setgid) file was opened for modification. The template

can also generate a false alert that a setuid (or setgid) file is created even though the file

already exists, and is opened with the create flag rather than for modification.

• The template cannot always distinguish whether a setuid (or setgid) file is created, and

whether an existing setuid (or setgid) file is truncated. The template can generate an

alert that a setuid (or setgid) file is created, instead of generating an alert that a setuid

(or setgid) file is truncated.

140 Templates and Alerts