Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Template Property Types
Appendix A
131
Template Property Types
A template property has one of the following types:
• Type I: Path Names to [Not] Monitor
• Type II: Path Names/Programs Pairs
• Type III: UIDs
• Type IV: UID Pairs
• Type V: Network Triplets
• Type VI: Time Strings
• Type VII: Flags
• Type VIII: Scalars
See “Template Configuration Syntax” on page 182 for a description of the syntax to use
to specify values of the various template types.
Type I: Path Names to [Not] Monitor
The template properties pathnames_to_watch and pathnames_to_not_watch are of
this type. This type is a list of n (with n>0) regular expressions that are separated by the
pipe (|) character. A file or directory is [not] monitored if its full path name matches a
regular expession in the pathnames_to_[not]_watch template property. If a file’s or
directory’s path name matches a regular expression in both the pathnames_to_watch
and pathnames_to_not_watch property, then the file or directory is not monitored.
The following line in the template configuration file defines a property called
pathnames_to_not_watch such that the /var/log/cron and /etc/passwd files are not
monitored for alerts:
pathnames_to_not_watch | ^/var/log/cron$ | ^/etc/passwd$
NOTE When entering the template property value in the Schedule Manager window, only the
template property value ^/var/log/cron$ | ^/etc/passwd$ enter (do not enter the
property name and the first pipe character)
Note the use of the regular expression anchor characters ^ and $ to denote an exact file
path name.
The following line defines a property named pathnames_to_watch that specifies that all
files or directories with path names that contain the /var/t substring or that start
with the /opt string are monitored:
pathnames_to_watch | /var/t.* | ^/opt
See “UNIX Regular Expressions” on page 128 for a discusson and examples of regular
expressions.