Templates and Alerts

Creation of Setuid File Template

Setuid File Created

This template generates and forwards the following alerts to a response program when a setuid file owned by a privileged user is created:

Table A-14

Setuid File Created Alert Properties

 

 

 

 

 

 

 

 

Response

 

Alert Field

 

 

 

Program

Alert Field

Alert Value/Format

Description

 

Type

 

Argument

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

argv[1]

Template

Integer

4

Unique code

 

 

code

 

 

assigned to

 

 

 

 

 

template

 

 

 

 

 

 

 

argv[2]

Version

Integer

2

Version of the

 

 

 

 

 

template

 

 

 

 

 

 

 

argv[3]

Severity

Integer

1

Severity

 

 

 

 

 

 

 

argv[4]

UTC Time

Integer

<secs>

UTC time in

 

 

 

 

 

number of seconds

 

 

 

 

 

since epoch when a

 

 

 

 

 

privileged setuid

 

 

 

 

 

file is created

 

 

 

 

 

 

 

argv[5]

Attacker

String

“uid=<uid>, gid=<gid>, pid=<pid>,

The user ID, group

 

 

 

 

ppid=<ppid>”

ID, process ID, and

 

 

 

 

 

parent process ID

 

 

 

 

 

of the process that

 

 

 

 

 

created the

 

 

 

 

 

privileged setuid

 

 

 

 

 

file

 

 

 

 

 

 

 

argv[6]

Target of

String

“file=<full pathname>,

The full pathname

 

 

Attack

 

mode=<mode>,uid=<uid>,gid=<gid

of the privileged

 

 

 

 

setuid file and the

 

 

 

 

>,

 

 

 

 

file’s mode, uid, gid,

 

 

 

 

 

 

 

 

 

inode=<inode>,device=<device>”

inode, and device

 

 

 

 

 

number

 

 

 

 

 

 

 

argv[7]

Summary

String

“Setuid file created”

Alert Summary

 

 

 

 

 

 

156

Appendix A

Page 168
Image 168
HP Host Intrusion Detection System (HIDS) manual Table A-14 Setuid File Created Alert Properties, 156