HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
file being modified matches the corresponding second
member of the pair.
For example, pairs [0,1], [root, 1], [0, bin], and [root,bin]
are all equivalent and any of them can be used to filter all
alerts where a process with effective uid 0 (root) modifies files
owned by user bin (uid 1).
pathnames_X, programs_X These properties can be used to filter out alerts generated
when a particular program modifies a specified file owned
by another user. See “Type II: Path Names/Programs Pairs”
(page 107) for a detailed description of these property pairs.
Alerts generated by this template
Non-Owned File Being Modified
Table A-20 lists the alert properties the Modification of Another User’s File template generates and
forwards to a response program when a file is modified by someone other than the owner.
Table 30 Non-Owned File Being Modified Alert Properties
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to
template
6IntegerTemplate codeargv[1]
Template version<version>IntegerVersionargv[2]
Alert severity2 if the file is truncated, potentially
truncated, deleted, or renamed3 if
IntegerSeverityargv[3]
the file’s mode or ownership is
modified, or the file is opened for
writing or appending
UTC time in number of
seconds since the epoch
<secs>IntegerUTC timeargv[4]
when a file was modified
by a non-owner
The user ID, group ID,
process ID, and parent
uid=<uid>, gid=<gid>, pid=<pid>,
ppid=<ppid>.
StringAttackerargv[5]
process ID of the process
that modified the file
The full path name of the
file and the file’s type,
file=<full pathname>, type=<type>,
mode=<mode>, uid=<uid>,
StringTarget of Attackargv[6]
mode, uid, gid, inode, and
device number
gid=<gid>, inode=<inode>,
device=<device>.
Alert summaryNon-owned file being modifiedStringSummaryargv[7]
Modification of Another User’s File Template 135