HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
Table 23 Append-Only File Being Modified Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse
Program
Argument
Detailed alert descriptionUser with uid <uid> <performed
action on the file> <full pathname>
StringDetailsargv[8]
(type=<type>, inode=<inode>,
device<device>) when executing
<program>
(type=<type>,inode=<inode>
,device=<device>), invoked as
follows: <argv[0]> <argv[1]>..., as
process with pid <pid> and ppid
<ppid> and running with effective
uid=<euid> and with effective
gid=<egid>.where <performed
action on the file> is set to one of
the following:
• opened for
modification/truncation
• deleted the file
• deleted the directory
• performed system call
number
on the file
• renamed the file
• truncated the file
• created the file (and overwrote
any existing file) named
The event that triggered the
alert.
Following are the possible values:StringEventargv[9]
• File opened for modification
• File renamed
• File created
• File modified
• File truncated
• Hard link created
• File deleted
• Directory deleted
• Miscellaneous event
Failed Attempt to Modify Append-Only Files
Table 24 (page 127) lists the alert properties this template generates and forwards to a response
program when files monitored by the Changes to Log File template are unsuccessfully
modified in a way other than being appended to. All other alert properties for failed attempts are
listed in Table 23 (page 125).
126 Templates and Alerts