HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

users_to_ignore | root | bin | daemon

Type IV: User Name/UID Pairs

Type IV property values include pairs of user names or user IDs. This property type

is currently used only in the Modification of Another User’s File Template. The two

members of each pair are separated by a comma. When an event is received for a file

that is being monitored, the following criteria are applied for every pair in the list:

• The effective user ID of the process modifying the file corresponds to the first

member of the pair.

• The owner of the file corresponds to the second member of the file.

If both of these conditions are met, no alert is issued.

Following is an example of this type of property value:

user_pairs_to_ignore | root, daemon | 0, bin | root, 3 |

0, 4

In this example, an alert is not triggered if any of the following conditions are met:

- If the file owner’s name is root and the effective user ID of the modifying process

corresponds to the user name daemon.

- If the file owner’s user ID is 0 and the effective user ID of the modifying process

corresponds to the user name bin.

- If the file owner’s user ID corresponds to the user name root and the effective user

ID of the modifying process is 3.

- If the file owner’s user ID is 0 and the effective user ID of the modifying process is 4.

Type V: Network Triplets

Type V property values include network information triplets. The members of a triplet

are as follows:

• IP Address: An IP address. For IPv4, the address must be in standard dot notation;

for IPv6, in colon notation.

• Network Mask: The network mask value qualifies the value in the IP address field

to an individual host address or a network address. A value of 255.255.255.255

means the value in the IP address field is an individual host address; otherwise,

it is a network address. The network mask follows the notational requirements

for IP addresses.

• Severity Code: An integer representing a severity level (0=no alert, 1 = critical, 2

= severe, 3 = moderate), where a severity level of 0 specifies that no alert is

generated for a matching {IP address, Network Mask, 0} triplet.

The following template configuration illustrates a Type V property value:

ip_filters | 192.168.0.2, 255.255.255.0, 0 |

Where:

192.168.0.2 network address

255.255.255.0 network mask for a network address

144 Templates and Alerts