HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
Table 20 File Being Modified Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
The user ID, group ID,
process ID, and parent
uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>
StringAttackerargv[5]
process ID of the process
that modified the file
The full path name of the
file that was modified and
file=<full pathname>, type=<type>,
mode=<mode>, uid=<uid>, gid=<gid>,
inode=<inode>, device=<device>
StringTarget of
attack
argv[6]
the file’s type, mode, uid,
gid, inode, and device
number
Alert summaryFile system modification or potential
modification.
StringSummaryargv[7]
Detailed alert descriptionUser with uid<uid> <performed action
on the file> <full pathname>
StringDetailsargv[8]
(type=<type>, inode=<inode>,
device=<device>) when executing
<program> (type=<type>,
inode=<inode>, device=<device>),
invoked as follows:
<argv[0]><argv[1]>..., as process with
pid <pid> and ppid <ppid> and running
with effective uid=<euid> and with
effective gid=<egid>.where <performed
action on the file> is set to one of the
following:
• changed the owner of
• changed the permission of
• opened for modification/truncation
• renamed the file
• created the file (and overwrote any
existing file) named
• truncated the file
• created as a hard link
• created as a symbolic link
• created the file
• created the character special file
• created the directory
• created the block special file created
the pipe (fifo) file
• deleted the file
• deleted the directory
• performed system call <number> on
the file
The event that triggered
the alert.
Following are the possible values:StringEventargv[9]
• File ownership modified
• File permission modified
• File opened for modification
• File created
• File truncated
Modification of files/directories Template 121