HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

• Alerts that specify an unknown program occur when the following three conditions

are met:

— The program is started before the HIDS surveillance schedule is started.

— The process terminates immediately after it performs an action that causes an

alert.

— HIDS generates the alert after the process terminates.

• Alerts that specify an unknown program occur when the following two conditions

are met:

— The IDDS_MODE_NONBLOCK flag is set in IDDS_MODE in the ids.cf

configuration file (that is, IDDS_MODE is set to 3, the default value).

— IDDS is dropping audit records because of a heavy system load.

Template Property Types

A template property has one of the following types:

• Type I: Path Names to [Not] Monitor

• Type II: Path Names/Programs Pairs

• Type III: User Names/UIDs

• Type IV: User Name/UID Pairs

• Type V: Network Triplets

• Type VI: Time Strings

• Type VII: Flags

• Type VIII: Scalars

• Type IX: Path Names / Integer Pairs

For a description about the syntax to use to specify values for various template types,

see “Template Property Syntax” (page 253).

Type I: Path Names to [Not] Monitor

The pathnames_to_watch and pathnames_to_not_watch template properties

are of Type I. Type I is a list of n, with n>0, regular expressions that are separated by

the pipe (|) character. A file or directory is [not] monitored if its full path name matches

a regular expression in the pathnames_to_[not]_watch template property.

NOTE: If a file or directory path name matches a regular expression in both the

pathnames_to_watch and pathnames_to_not_watch property, then the file or

the directory is not monitored.

The following line in the template configuration file defines a property called

pathnames_to_not_watch, so that the /var/log/cron and /etc/passwd files

are not monitored for alerts:

pathnames-to_not_watch | ^/var/log/cron$ | ^/etc/passwd$

140 Templates and Alerts