HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

121

122

123

124

125

126

127

128

129

130

Table 26 Setuid File Created / Modified Alert Properties (continued)

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse

Program

Argument

Detailed alert descriptionUser with uid <uid> <performed

action on>

StringDetailsargv[8]

the file ><full

pathname>(type=<type>,

inode=<inode>, device<device)

when executing <program>

(type=<type>, inode=<inode>,

device=<device>), invoked as

follows: <argv[0]> <argv[1]>...,

as process with pid <pid> and

ppid <ppid> and running with

effective uid=<euid> and with

effective gid=<egid>.where

<performed action on> is set to

one of the following:

• created the setuid or setgid

file

• changed the owner of the

setuid file, or changed the

group of the setgid file.

• enabled the setuid or

setgid bit on file

• performed system call

<number> on the file

• opened for modification

• truncated the setuid or

setgid file

The event that triggered the

alert.

Following are the possible values:StringEventargv[9]

• File truncated

• File created

• File modified

• Miscellaneous event

NOTE: See Table 41 (page 150) for the definition of additional arguments that can be used to

access specific alert information (for example, pid and ppid) without parsing the string alert fields.

Limitations

The setuid/setgid file template has the following limitations:

• The template cannot always distinguish whether a setuid (or setgid) file is created and

whether an existing setuid (or setgid) file is opened for modification with the create flag.

The template can generate an alert that a setuid (or setgid) file was created rather than

generating an alert that a setuid (or setgid) file was opened for modification. The template

can also generate a false alert that a setuid (or setgid) file is created even though the file

already exists, and is opened with the create flag rather than for modification.

• The template cannot always distinguish whether a setuid (or setgid) file is created, and

whether an existing setuid (or setgid) file is truncated. The template can generate an alert

that a setuid (or setgid) file is created, instead of generating an alert that a setuid (or

setgid) file is truncated.

130 Templates and Alerts