HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
with a matching remote IP address is filtered except for
root and ids users. If a login event’s remote host IP
address does not match any triplet, then a severe alert
(severity=2) is generated for root and ids users and a
moderate alert (severity=3) is generated for all other
users. The value of the mask must be set to
255.255.255.255 if the ip_address is a host address;
otherwise, the mask must be set to the network mask to
qualify the value in ip_address as a network address.
Host address filtering is only applied to those login
events that are not filtered out by the
users_to_ignore and users_to_monitor template
properties.
priv_user_list
A high severity alert is generated when a user with a
user ID or user name in this list logs in or logs out.
Alerts generated by this template
See “Login/Logout” (page 181) and “Successful su Detected” (page 183) for more
information about the alerts generated by the Login/Logout template.
Login/Logout
Table A-20 lists the alert properties the Login/Logout template generates and forwards
to a response program when a successful login or logout occurs.
Table A-20 Login/Logout Alert Properties
DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse
Program
Argument
Unique code assigned
to template
7IntegerTemplate
code
argv[1]
Template version3IntegerVersionargv[2]
Alert severity2 for users listed in the
priv_user_list property, and
1 if specified by an ip filter
property.
IntegerSeverityargv[3]
UTC time in number
of seconds since the
epoch when a
successful login,
logout, or su event
occured.
<secs>
IntegerUTC Timeargv[4]
Login/Logout Template 181