Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Templates and Alerts

Appendix A

168

NOTE uids_to_monitor takes precedence over uids_to_ignore when both the lists are set. If

uids_to_monitor is not empty, values in uids_to_ignore are ignored.

• Property: uids_to_ignore

User ids in this list will allow those users to login, logout and su without generating

an alert.

• Property: uids_to_monitor

Alerts are generated when the user ids in this list login, logout or su if the

corresponding monitor_*_flag is set to 1.

• Property: monitor_su_flag

When set to 1, the template will monitor successful su attempts by users speciﬁed in

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

uids_to_ignore.

• Property: monitor_login_flag

When set to 1, the template will monitor successful logins by users speciﬁed in

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

uids_to_ignore.

• Property: monitor_logout_flag

When set to 1, the template will monitor successful logouts by users speciﬁed in

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

uids_to_ignore.

• Property: ip_filters

Contains a list of triplets {ip_address, mask, severity}.

This property ﬁlters login alerts and determines the alert’s severity based on which

remote host or network the login was made from. If a login’s remote host IP address

matches one of the triplet’s IP address qualiﬁed by the triplet’s network mask, then

the alert severity is set to the corresponding triplet’s severity. A severity level of 0

indicates an alert for a login event with a matching remote IP address will be ﬁltered

except for user root and ids. If a login event’s remote host IP address does not match

any triplet, then a severe (severity=2) alert is generated for root and ids users and a

moderate (severity=3) alert for all other users. The value of the mask must be set to

255.255.255.255 if the ip_address is a host address; otherwise, the mask must be

set to the network mask to qualify the value in ip_address as a network address.

Host address ﬁltering is only applied to those login events that are not ﬁltered out by

the uids_to_ignore and uids_to_monitor template properties.

Alerts generated

by this template

• “Login/Logout” on page 169

• “Successful su Detected” on page 170