Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

Templates and Alerts

Appendix A

172

A brief description about the conﬁgurable properties are listed below:

• Property: uids_to_ignore

User IDs in this list allow those users to log in, log out and use the su command

without generating an alert.

• Property: uids_to_monitor

Alerts are generated when the user IDs in this list log in, log out or use the su

command if the corresponding monitor_*_flag is set to 1.

• Property: monitor_su_flag

When set to 1, the template monitors successful su attempts to users speciﬁed in

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

uids_to_ignore.

• Property: monitor_login_flag

When set to 1, the template will monitor successful logins to users speciﬁed in

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

uids_to_ignore.

• Property: monitor_logout_flag

When set to 1, the template monitors successful logouts by users speciﬁed in

uids_to_monitor or, if uids_to_monitor is empty, by users not listed in

uids_to_ignore.

• Property: ip_filters

Contains a list of triplets {ip_address, mask, severity}.

This property ﬁlters login alerts and determines the alert’s severity based on which

remote host or network the login was made from. If a login’s remote host IP address

matches one of the triplet’s IP addresses qualiﬁed by the triplet’s network mask,

then the alert severity is set to the corresponding triplet’s severity. A severity level of

0 indicates that an alert for a login event with a matching remote IP address will be

ﬁltered except for user root and ids. If a login event’s remote host IP address does

not match any triplet, then a severe (severity=2) alert is generated for root and ids

users and a moderate (severity=3) alert is generated for all other users. The value of

the mask must be set to 255.255.255.255 if the ip_address is a host address;

otherwise, the mask must be set to the network mask to qualify the value in

ip_address as a network address. Host address ﬁltering is only applied to those login

events that are not ﬁltered out by the uids_to_ignore and uids_to_monitor

template properties.

Alerts generated

by this template

See “Login/Logout” on page 173 and “Successful su Detected” on page 174 for more

information about the alerts generated by these templates.