Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

Templates and Alerts

Template Property Types

Appendix A

132

Type II: Path Names/Programs Pairs

These property types enable users to specify combinations of ﬁle path names and

program path names, such that alerts normally generated for ﬁles (regular ﬁles,

directories, and so on) speciﬁed in the Pathnames to be monitored property are

suppressed when the ﬁles are modiﬁed by selected programs.

Path names and programs are speciﬁed as regular expressions just as

pathnames_to_[not]_watch properties are speciﬁed. See the default property settings

for the kernel templates for examples of path names and program pair speciﬁcations.

Path names and program properties come in pairs. There can be n > 0 such pairs in a

conﬁguration ﬁle. For each member of a pair, its property values consist of a set of m >0

lists. For the path name member of a pair, each property value consists of a list of p > 0

regular expressions separated by ampersand (&) characters. For the corresponding

program member of a pair, each property value is a list of q > 0 regular expressions as its

value. In general, p is not eual to q. An example of a valid property pair follows:

pathnames_1 | f1 & f2 | f3 & f4 & f5 | f6

programs_1 | p1 & p2 & p3 | p3 & p4 | p5

With these two lines, an alert is not generated for ﬁle f1 if the event was triggered by

any of the p1, p2,orp3 programs; likewise, f2 is not monitored if the event was triggered

by any of p1, p2,or p3. Analogously, an alert is suppressed for f3, f4, and f5 if the alert

is triggered by program p3 or p4.

NOTE The pair pathnames_0/programs_0 is a special case in which alerts for ﬁles speciﬁed in

pathnames_0 are not generated when the corresponding programs in programs_0 or in

any of the program’s child processes or grandchild processes trigger the alert. For

example, for the Modiﬁcation of Files/Directories template, if pathnames_0 contains

^/opt/ to specify the /opt directory and programs_0 contains /usr/sbin/swinstall,

then alerts normally generated for modiﬁcations to ﬁles under /opt are suppressed

when the ﬁles are modiﬁed by either swinstall or any of its child processes (such as,

control scripts) or grandchild processes (such as, commands invoked in a control script).

• The following set of two lines:

pathnames_1 | f1 & f2

programs_1 | p1 & p2 & p3

Is equivalent to the following set of four lines:

pathnames_1 | f1

programs_1 | p1 & p2 & p3

pathnames_2 | f2

programs_2 | p1 & p2 & p3

Or to the following set of six lines: