Buffer overflow detected | A process attempted to execute on its stack, perhaps as part of a stack buffer overflow attack. | 1 | Buffer Overflow Template |
Potential buffer overflow detected | Potential buffer overflow of a privileged program using an unusually long program argument, or using an argument that contains a non-printable character. | 1 | Buffer Overflow Template |
File reference change | A file reference for a privileged program was modified. | 1 | Race Condition Template |
| Race condition attack | A privileged setuid script was executed using a symbolic link. | 1 | Race Condition Template |
| Potential race condition attack | A privileged setuid script was executed, but not necessarily using a symbolic link. | 2 | Race Condition Template |
File system modification or potential modification | A read-only file was truncated, deleted, or renamed. | 2 | Modification of files/directories Template |
| File system modification or potential modification | A read-only file’s mode or ownership was modified, the file was created, or the file was opened for writing or appending. | 3 | Modification of files/directories Template |
File system modification or potential modification | An append-only or read-only file was modified using one of the hard links of the file. | 3 | Modification of files/directories Template |
A setuid or setgid file is created | A privileged setuid file was created, potentially created, or the setuid bit was turned on a regular file owned by a privileged user, or the owner of a setuid file was changed from a non privileged user to a privileged user. A privileged setgid file was created, potentially created, or the setgid bit was turned on by a privileged group or the group that owns a setgid file was changed from a non privileged group to a privileged group.
| 1 | Creation and Modification of setuid/setgid File Template |
A setuid or setgid file is modified | A privileged setuid or setgid file was truncated or potentially modified. | 1 | Creation and Modification of setuid/setgid File Template |
Append-only file modified or potentially modified | An append-only file was truncated, potentially truncated, deleted, renamed, or opened with write permission in non-append mode. | 2 | Changes to Log File Template |
World-writable file created | A file with world-writable permission was created by a privileged user, the world-writable bit was set on an existing file owned by a privileged user, the owner of a world-writable file was changed to a privileged user from a non- privileged user, or a world-writable file owned by a privileged user was renamed from a location that is not being monitored to a location that is being monitored. | 3 | Creation of World-Writable File Template |
| Non-owned file being modified | A file was truncated, deleted, or renamed by a user other than the owner of the file. | 2 | Modification of Another User’s File Template |
| Non-owned file being modified | A file’s mode or ownership was modified by a user other than the owner, or a file was opened for modification by a user other than the owner of the file. | 3 | Modification of Another User’s File Template |
Start of a successful login session | A successful login as a user specified as privileged | 2a | Login/Logout Template |
Start of a successful login session | A successful login as a user not specified as privileged | 3a | Login/Logout Template |
End of a login session | Logout of a user specified as privileged | 2 | Login/Logout Template |
| End of a login session | Logout of a user not specified as privileged | 3 | Login/Logout Template |
| Successful su session | A successful switch to a user specified as privileged | 2 | Login/Logout Template |
| Successful su session | A successful switch to a user not specified as privileged | 3 | Login/Logout Template |
Failed login attempts | Repeated attempts to log in as a user specified as privileged | 3 | Repeated Failed Logins Template |
| Failed login attempts | Repeated attempts to log in as a user not specified as privileged | 3 | Repeated Failed Logins Template |
| Failed su attempts | Repeated attempts to switch to a user specified as privileged | 2 | Repeated Failed su Commands Template |
| Failed su attempts | Repeated attempts to switch to a user not specified as privileged | 3 | Repeated Failed su Commands Template |
Printable version
