HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

131

132

133

134

135

136

137

138

139

140

pathnames_to_not_watch Path names of files that can be safely ignored if they are

modified by non-owners.

users_to_ignore Users running with an effective uid that equals to one of the

listed user IDs or corresponds to one of the listed user names

can modify files they do not own without generating an alert.

It is recommended that this property is left blank unless

specifically needed.

user_pairs_to_ignore A list of user ID or user name pairs in which an alert is not

generated if the effective user ID of the process modifying this

file matches the first member of a pair, and the owner of the

file being modified matches the corresponding second

member of the pair.

For example, pairs [0,1], [root, 1], [0, bin], and [root,bin]

are all equivalent and any of them can be used to filter all

alerts where a process with effective uid 0 (root) modifies files

owned by user bin (uid 1).

pathnames_X, programs_X These properties can be used to filter out alerts generated

when a particular program modifies a specified file owned

by another user. See “Type II: Path Names/Programs Pairs”

(page 108) for a detailed description of these property pairs.

Alerts generated by this template

Non-Owned File Being Modified

Table A-20 lists the alert properties the Modification of Another User’s File template generates and

forwards to a response program when a file is modified by someone other than the owner.

Table 30 Non-Owned File Being Modified Alert Properties

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse

Program

Argument

Unique code assigned to

template

6IntegerTemplate codeargv[1]

Template version<version>IntegerVersionargv[2]

Alert severity2 if the file is truncated, potentially

truncated, deleted, or renamed3 if

the file’s mode or ownership is

modified, or the file is opened for

writing or appending

IntegerSeverityargv[3]

UTC time in number of

seconds since the epoch

when a file was modified

by a non-owner

<secs>IntegerUTC timeargv[4]

The user ID, group ID,

process ID, and parent

process ID of the process

that modified the file

uid=<uid>, gid=<gid>, pid=<pid>,

ppid=<ppid>.

StringAttackerargv[5]

The full path name of the

file and the file’s type,

mode, uid, gid, inode, and

device number

file=<full pathname>, type=<type>,

mode=<mode>, uid=<uid>,

gid=<gid>, inode=<inode>,

device=<device>.

StringTarget of Attackargv[6]

Alert summaryNon-owned file being modifiedStringSummaryargv[7]

Modification of Another User’s File Template 137