Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

Templates and Alerts

Template Property Types

Appendix A

131

pathnames_1 | f1 & f2

programs_1 | p1

pathnames_2 | f1 & f2

programs_2 | p2

pathnames_3 | f1 & f2

programs_3 | p3

• However, it is not equal to the following:

pathnames_1 | f1

programs_1 | p1 & p2 & p3

pathnames_2 | f2

programs_2 | p1 & p3

The rationale here is to provide a ﬁner granularity for users to specify their ﬁle

monitoring dependencies. That is, in (4) an alert for f2 will be generated if the event was

triggered by p2, as opposed to what happens when any of (1), (2) or (3) are used.

Type III: UIDs

The values for this property consists of lists of UIDs that the template is to explicitly

take into account (type IIIa) or explicitly ignore (type IIIb) when determining whether or

not an alarm is to be issued. The following template property speciﬁes three UIDs, which

will be explicitly taken into account while generating an alert:

priv_uid_list | 22|1|43

The following template property speciﬁes that alerts concerning the three UIDs will not

be generated:

uids_to_ignore | 21|3|53

speciﬁes three UIDs, which will be explicitly ignored, when generating an alert,

depending on the template type.

Type IV: UID Pairs

In this case the values consist of lists of pairs of UIDs. In each pair, the two members are

separated by a comma. When an event is received for a ﬁle that is being monitored, the

following criteria are applied for every pair in the list:

• The effective UID of the process modifying this ﬁle is the same as the ﬁrst member of

the pair

• The owner of the ﬁle has the same UID as the second member of the pair

If both these conditions are true, no alert is issued.

In the following command line:

uid_pairs_to_ignore | 2, 16 | 4, 3