HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
Table 20 File Being Modified Alert Properties
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to
template
2IntegerTemplate codeargv[1]
Template version<version>IntegerVersionargv[2]
Alert severity2 if file is truncated, potentially
truncated, deleted, or renamed.3 if file’s
mode or ownership is modified, if file is
created, or if file is opened for writing
or appending.
IntegerSeverityargv[3]
UTC time in number of
seconds since the epoch
when file was modified
<secs>IntegerUTC timeargv[4]
The user ID, group ID,
process ID, and parent
process ID of the process
that modified the file
uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>
StringAttackerargv[5]
The full path name of the
file that was modified and
the file’s type, mode, uid,
gid, inode, and device
number
file=<full pathname>, type=<type>,
mode=<mode>, uid=<uid>, gid=<gid>,
inode=<inode>, device=<device>
StringTarget of
attack
argv[6]
Alert summaryFile system modification or potential
modification.
StringSummaryargv[7]
Detailed alert descriptionUser with uid<uid> <performed action
on the file> <full pathname>
(type=<type>, inode=<inode>,
device=<device>) when executing
<program> (type=<type>,
inode=<inode>, device=<device>),
invoked as follows:
<argv[0]><argv[1]>..., as process with
pid <pid> and ppid <ppid> and running
with effective uid=<euid> and with
effective gid=<egid>.where <performed
action on the file> is set to one of the
following:
• changed the owner of
• changed the permission of
• opened for modification/truncation
• renamed the file
• created the file (and overwrote any
existing file) named
• truncated the file
• created as a hard link
• created as a symbolic link
StringDetailsargv[8]
Modification of files/directories Template 123