HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

131

132

133

134

135

136

137

138

139

140

Properties

The configurable properties are listed as follows:

priv_user_list A list of system-level user IDs or user names.

This list contains users that have elevated access to the system.

Removing any of these users means that this template does

not detect the creation of a world-writable file owned by that

users.

pathnames_to_not_watch Path names of files that can be safely ignored if they are made

world writable.

pathnames_X, programs_X Filter out alerts generated when a specified program creates

a specified world-writable file. See “Type II: Path

Names/Programs Pairs” (page 107) for a detailed description

of these property pairs.

Alerts generated by this template

World-Writable File Created

Table A-18 lists the configurable properties that this template supports.

Table 28 World-Writable File Created Alert Properties

DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse

Program

Argument

Unique code assigned to

template

5IntegerTemplate codeargv[1]

Template Version<version>IntegerVersionargv[2]

Alert Severity3IntegerSeverityargv[3]

UTC time in number of

seconds since the epoch

<secs>IntegerUTC timeargv[4]

when a world-writable file

was created

The user ID, group ID,

process ID, and parent

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

process ID of the process

that created the

world-writable file

The full path name of the

world-writable file and the

file=<full pathname>,

type=<type>, mode=<mode>,

StringTarget of Attackargv[6]

file’s type, mode, uid,uid=<uid>, gid=<gid>,

inode=<inode>,

device=<device>

gid, inode, and device

number

Alert summaryworld-writable file createdStringSummaryargv[7]

Detailed alert descriptionUser with uid <uid> <performed

action on> the file ><full

StringDetailsargv[8]

pathname> (type=<type>,

inode=<inode>, device<device)

when executing <program>>

(type=<type>, inode=<inode>,

device=<device>), invoked as

follows: <argv[0]> <argv[1]>...,

as process with pid <pid> and

ppid <ppid> and running with

effective uid=<euid> and with

effective gid=<egid>.where

132 Templates and Alerts