Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
141142143144145146147148149150
NOTE: When specifying the template property value in the Schedule Manager
window, enter only the template property value ^/var/log/cron$
^/etc/passwd$. Do not enter the property name and the first pipe character.
When specifying values for this property, be aware of path names that contain symbolic
links. For example, to monitor the csh executable, specify the complete path name
/usr/bin/csh, assuming that /bin is a symbolic link to /usr/bin. HIDS attempts
to match using fully resolved path names.
Use the regular expression anchor characters ^ and $ to denote the start and end of the
file path name.
The following line defines a property named pathnames_to_watch that specifies
monitoring all files or directories with starting path name /var/t substring or the
path names that start with the /opt string:
pathnames_to_watch | /var/t.* | ^/opt
For examples of regular expressions, see “UNIX Regular Expressions (page 138).
Type II: Path Names/Programs Pairs
These property types enable users to specify combinations of file path names and
program path names. As a result, alerts that are normally generated for files specified
in the pathnames-to-be-monitored property are suppressed when the files are
modified by specified programs.
Path names and programs are specified as regular expressions the same as
pathnames_to_[not]_watch properties are specified. See the default property
settings for the kernel templates for examples of path names and program pair
specifications.
Path names and program properties come in pairs. There can be n > 0 pairs in a
configuration file. For each member of a pair, its property values consist of a set of m
> 0 lists. For the path name member of a pair, each property value consists of a list of
p > 0 regular expressions separated by ampersand (&) characters. For the corresponding
program member of a pair, each property value is a list of q > 0 regular expressions as
its value. In general, p is not equal to q. Following is an example of a valid property
pair:
pathnames_1 | f1 & f2 | f3 & f4 & f5 | f6 programs_1 |
p1 & p2 & p3 | p3 & p4 | p5
With these two lines, an alert is not generated for file f1 if the event was triggered by
any of the p1, p2, or p3 programs. Similarly, f2 is not monitored if the event was
triggered by p1, p2,or p3. Analogously, an alert is suppressed for f3, f4, and f5 if
the alert is triggered by program p3 or p4.
Template Property Types 141