HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
NOTE: The pathnames_0/programs_0 pair is a special case in which alerts for
files specified in pathnames_0 are not generated when the corresponding programs
in programs_0 or in any of the program’s child processes or grandchild processes
trigger the alert. For example, for the Modification of Files/Directories template, if
pathnames_0 contains ^/opt/to specify the /opt directory and programs_0
contains/usr/sbin/swinstall, then alerts normally generated for modifications
to files under /opt are suppressed when the files are modified by either swinstall,
any of its child processes (such as control scripts) or grandchild processes (such as
commands invoked in a control script).
• The following set of two lines:
pathnames_1 | f1 & f2
programs_1 | p1 & p2 & p3
Is equivalent to the following set of four lines:
pathnames_1 | f1
programs_1 |
pathnames_2
programs_2 p1 & p2 & p3
Or to the following set of six lines:
pathnames_1 | f1 & f2
programs_1 | p1
pathnames_2 | f1 & f2
programs_2 | p2
pathnames_3 | f1 & f2
programs_3 | p3
• However, it is not equal to the following lines:
pathnames_1 | f1
programs_1 | p1 & p2 & p3
pathnames_2 | f2
programs_2 | p1 & p3
This provides granularity for specifying their file- monitoring dependencies. That is,
in the last example an alert for f2 is generated if the event was triggered by p2, in
contrast to what happens when any of the three previous examples are used.
142 Templates and Alerts