Templates and Alerts
Creation of Setuid File Template
Setuid File Created
This template generates and forwards the following alerts to a response program when a setuid file owned by a privileged user is created:
Table | Setuid File Created Alert Properties |
| |||
|
|
|
|
|
|
| Response |
| Alert Field |
|
|
| Program | Alert Field | Alert Value/Format | Description | |
| Type | ||||
| Argument |
|
|
| |
|
|
|
|
| |
|
|
|
|
|
|
| argv[1] | Template | Integer | 4 | Unique code |
|
| code |
|
| assigned to |
|
|
|
|
| template |
|
|
|
|
|
|
| argv[2] | Version | Integer | 2 | Version of the |
|
|
|
|
| template |
|
|
|
|
|
|
| argv[3] | Severity | Integer | 1 | Severity |
|
|
|
|
|
|
| argv[4] | UTC Time | Integer | <secs> | UTC time in |
|
|
|
|
| number of seconds |
|
|
|
|
| since epoch when a |
|
|
|
|
| privileged setuid |
|
|
|
|
| file is created |
|
|
|
|
|
|
| argv[5] | Attacker | String | “uid=<uid>, gid=<gid>, pid=<pid>, | The user ID, group |
|
|
|
| ppid=<ppid>” | ID, process ID, and |
|
|
|
|
| parent process ID |
|
|
|
|
| of the process that |
|
|
|
|
| created the |
|
|
|
|
| privileged setuid |
|
|
|
|
| file |
|
|
|
|
|
|
| argv[6] | Target of | String | “file=<full pathname>, | The full pathname |
|
| Attack |
| mode=<mode>,uid=<uid>,gid=<gid | of the privileged |
|
|
|
| setuid file and the | |
|
|
|
| >, | |
|
|
|
| file’s mode, uid, gid, | |
|
|
|
|
| |
|
|
|
| inode=<inode>,device=<device>” | inode, and device |
|
|
|
|
| number |
|
|
|
|
|
|
| argv[7] | Summary | String | “Setuid file created” | Alert Summary |
|
|
|
|
|
|
156 | Appendix A |