Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Limitations
Appendix A
128
Limitations
This section describes the general limitations of all the templates. Template specific
limitations are included in the respective template sections:
• None of the templates perform alert aggregation or filter out identical alerts that
repeat over a given time period.
• None of the kernel file monitoring templates can filter alerts based on whether a file
is local or remote (NFS).
• Kernel file monitoring templates, by design, do not detect that the contents of a file
were modified.
• Templates do not filter alerts for files specified with relative pathnames. Files must
be specified with resolved, full pathnames.
• A template that has the pathnames_to_watch property does not monitor changes to
a file via a hard link unless the full pathname of the hard link itself is specified in
the property. Likewise, for the pathnames_to_not_watch property, modifications to
a file via a hard link are not ignored unless the full pathname of the hard link is
specified in the property.
• Kernel file monitoring templates do not monitor changes to files via symbolic links.
Therefore, full pathnames of symbolic links should be not be specified in the
pathnames_to_watch and pathnames_to_not_watch properties unless the
modification of the symbolic link itself should [not] be monitored.
• Alerts that specify an UNKNOWN program will occur under the following
conditions:
— The program is started before the HIDS surveillance schedule is started.
— The offending process terminates right after it has performed some action to
cause an alert.
— HIDS generates the alert after the offending process has already been
terminated.