HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Table A-19 Login/Logout Template Properties
Default ValueTypeProperty
<empty>III
users_to_ignore
<empty>III
users_to_monitor
1VII
monitor_su_flag
1VII
monitor_login_flag
1VII
monitor_logout_flag
<empty>V
ip_filters
root | idsIII
priv_user_list
NOTE: The users_to_monitor property takes precedence over users_to_ignore
when both lists are set. If users_to_monitor is not empty, values in
users_to_ignore are ignored.
The configurable properties are listed as follows:
users_to_ignore
Users in this list allow those users to log in, log out and
su without generating an alert.
users_to_monitor
Alerts are generated when users with a user ID or user
name in this list log in, log out or use the su command
if the corresponding monitor_*_flag is set to 1.
monitor_su_flag When set to 1, the template monitors successful su
attempts to users specified in users_to_monitor or,
if users_to_monitor is empty, by users not listed in
users_to_ignore.
monitor_login_flag
When set to 1, the template monitors successful logins
to users specified in users_to_monitor or, if
users_to_monitor is empty, by users not listed in
users_to_ignore.
monitor_logout_flag
When set to 1, the template monitors successful logouts
by users specified in users_to_monitor or, if
users_to_monitor is empty, by users not listed in
users_to_ignore.
ip_filters Contains a list of triplets {ip_address,
mask,severity}.Filters login alerts and determines
the alert’s severity based on which remote host or
network the login was made from. If a login’s remote
host IP address matches one of the triplet’s IP addresses
qualified by the triplet’s network mask, then the alert
severity is set to the corresponding triplet’s severity. A
severity level of 0 indicates that an alert for a login event
180 Templates and Alerts