Manualshelf

Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
141142143144145146147148149150
Templates and Alerts
Limitations
Appendix A
130
Limitations
This section describes the general limitations of all the templates. Template-specific
limitations are included in the respective template sections:
None of the templates perform aggregation of related alerts and only the Repeated
Failed Logins template has a property (called warning_interval) to filter out
identical alerts that repeat over a given time period.
None of the file monitoring templates can filter alerts based on whether a file is local
or remote (NFS).
File monitoring templates, by design, do not detect that the contents of a file were
modified.
File related templates can generate alerts with file relative pathnames instead of file
full pathnames. Specifying relative pathnames in template properties to filter these
alerts is not safe because a relative pathname can correspond to more than one file.
A template that has the pathnames_to_watch property does not monitor changes to
a file via a hard link unless the full path name of the hard link itself is specified in
the property. Likewise, for the pathnames_to_not_watch property, modifications to
a file via a hard link are not ignored unless the full path name of the hard link is
specified in the property.
File monitoring templates do not monitor changes to files via symbolic links.
Therefore, do not specify full path names of symbolic links in the
pathnames_to_watch and pathnames_to_not_watch properties unless the
modification of the symbolic link itself should be monitored.
Alerts that specify an unknown program occur when the following three conditions
are met:
The program is started before the HIDS surveillance schedule is started.
The offending process terminates right after it has performed some action to
cause an alert.
HIDS generates the alert after the offending process has already terminated.
Alerts that specify an unknown program occur when the following two conditions are
met:
The IDDS_MODE_NONBLOCK flag is set in IDDS_MODE in the ids.cf
configuration file (that is, IDDS_MODE set to 3, the default value).
IDDS is dropping audit records due to a heavy system load.