HP-UX Host Intrusion Detection System Version 4.2 Administration Guide
Table A-18 World-Writable File Created Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse
Program
Argument
Detailed alert descriptionUser with uid <uid> <performed
action on> the file ><full
pathname> (type=<type>,
inode=<inode>, device<device)
when executing <program>>
(type=<type>, inode=<inode>,
device=<device>), invoked as
follows: <argv[0]> <argv[1]>...,
as process with pid <pid> and
ppid <ppid> and running with
effective uid=<euid> and with
effective gid=<egid>.where
<performed action on> is set to
one of the following:
• created the world-writable
file
• created the world-writable
directory
• created the world-writable
character special file
• created the world-writable
block special file
StringDetailsargv[8]
• created the world-writable
pipe (fifo) file
• renamed the world-writable
file
• changed the owner of the
world-writable file
• enabled the world-writable
permission on file
• performed system call
<number> on the file
The event that triggered the
alert.
Following are the possible
values:
• File created
• Directory created
• Special file created
• File renamed
• File ownership modified
• File permission modified
• Miscellaneous event
StringEventargv[9]
NOTE: See Table B-1 (page 161) in Appendix B for the definition additional arguments that can
be used to access specific alert information (for example, pid and ppid) without parsing the string
alert fields.
Limitations
The World-Writable template has the following limitations:
• The template cannot always distinguish whether a world-writable file is created, or whether
an existing world-writable file is opened with the create flag set. The template can generate
Creation of World-Writable File Template 143