HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
Table 22 Template Properties (continued)
Default ValueTypeName
^/var/adm/syslog/sysloġlog$ | ^/var/adm/pacct$ |
^/var/adm/sulog$
<empty>Ipathnames_to_not_watch
<empty>IIpathnames_X
<empty>IIprograms_X
Properties
A brief description about the configurable properties are listed below:
pathnames_to_watch Path names of files to be monitored for modification other
than appending.
pathnames_to_not_watch Path names of files that can be safely ignored for modification,
regardless of which program modifies them.
pathnames_X, programs_X Use these properties to filter out alerts generated when a
particular program modifies a particular file other than
appending. See “Type II: Path Names/Programs Pairs”
(page 107) for a detailed description of these property pairs.
Alerts generated by this template
Append-Only File Being Modified
Table A-13 lists the alert properties this template generates and forwards to a response program
when a file is modified in a way other than being appended to.
Table 23 Append-Only File Being Modified Alert Properties
DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse
Program
Argument
Unique code assigned to
template
3IntegerTemplate codeargv[1]
Template version<version>IntegerVersionargv[2]
Alert Severity2IntegerSeverityargv[3]
UTC time in number of
seconds since the epoch
when file was modified
<secs>IntegerUTC timeargv[4]
The user ID, group ID,
process ID, and parent
uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>
StringAttackerargv[5]
process ID of the process
that modified the file
The full path name of the
file that was modified and
file=<full pathname>, type=<type>,
mode=<mode>, uid=<uid>,
StringTarget of attackargv[6]
the file’s type, mode, uid,gid=<gid>, inode=<inode>,
device=<device> gid, inode, and device
number.
Alert summaryAppend-only file modified or
potentially modified
StringSummaryargv[7]
Changes to Log File Template 125