HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
• The regular expression /\.rhosts$ matches any .rhosts file on the system,
such as /.rhosts and/home/<user>/.rhosts. Using the backslash character
escapes the special dot (.) character.
• The regular expression ^/\.rhosts$ exactly matches the .rhosts file in the
root directory.
• The regular expression ^/home/[^/]*/\.rhosts$ matches all the /.rhosts
files in the home directories.
NOTE: The special pattern-matching scheme in previous versions of HIDS is no longer
supported.
When you attempt to match the pipe (|), ampersand (&), or comma (,) characters in a
regular expression, you must escape those special characters using a backslash (\)
character, because these three characters also have special meaning, they are used as
delimiters by the parser of the template property syntax. For example, a path name of
a\|b has the backslash removed by the template property parser before being passed
as a regular expression to the regular expression parser (for example, as a|b). To match
a path name that contains one of these three characters, you must escape the backslash
and the special character itself. For example, a\\\|b passes to the regular expression
parser as a\|b).
Limitations
This section describes the general limitations of the templates. Template specific
limitations are discussed in the respective template sections.
Following are some general limitations:
• No file monitoring templates can filter alerts based on whether a file is local or
remote (NFS).
• File monitoring templates, by design, do not detect whether the contents of a file
were modified.
• File-related templates can generate alerts with file relative path names, instead of
file full path names. Specifying relative path names in template properties to filter
these alerts is not safe, because a relative path name can correspond to more than
one file.
• A template that has the pathnames_to_watch property does not monitor changes
to a file from a hard link, unless the full path name of the hard link is specified in
the property. However, the creation of hard links to files are monitored. Similarly,
for the pathnames_to_not_watch property, modifications to a file from a hard
link are not ignored unless the full path name of the hard link is specified in the
property.
• File monitoring templates do not monitor changes to files through symbolic links.
Hence, you must not specify full path names of symbolic links in the
pathnames_to_watch and pathnames_to_not_watch properties, unless the
modification of the symbolic link itself must be monitored.
Limitations 139