HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

221

222

223

224

225

226

227

228

229

230

The syntax for the tune command when invoked from the idsadmin command line

is as follows:

idsadmin [-v[vvv]] -t [OPTIONS]

The tune command can also be invoked from the interactive command-line interface

as follows:

idsadmin> tune [-v[vvv]] -t [OPTIONS]

Table C-1 describes the various tuning options that you can use with the tune command.

Table C-1 The tune Command Options

DescriptionOption

A comma separated list of agents (host names) to tune. Specify all

to tune all the schedules running on the hosts listed in the

sentinal.hosts file. Specify managed to tune all the schedules

running on the hosts that are marked as managed. If this option is

not specified, only the schedules running on the hosts marked as

managed by the GUI are tuned. For more information on managed

hosts, see “Managing Hosts” (page 99)

-a, --agent-hosts <host 1,

host 2... | all |

managed>

The time of the oldest alert to tune. If this option is not specified, the

tune command starts analyzing alerts whose timestamp is one second

after the most recent instance of tuning. If this is the first time that

the agent is being tuned, then the tune command analyzes all the

alerts in the alert.log file. Specify the start date using the

YYYYMMDD [HHMMSS] format. If YYYYMMDD is specified but not

HHMMSS, then HHMMSS defaults to 000000 (12:00:00 AM).

--start-date YYYYMMDD

[HHMMSS]

Specifies the full pathname of the editor to use to display the Tune

Report and the text schedule. If you do not specify this option,

/usr/bin/vi is used as the default editor. If you do not specify the

full path of your preferred editor, you must ensure that the path is

set in the PATH environment variable.

-e, --editor

Do not prompt for reviewing tuning reports and tuned schedules.

This option automatically updates the in-disk copy of the schedule(s)

and deploys them to the agent(s) running these schedules. This option

is useful for doing periodic, scheduled, non-interactive tunes such as

from a cron job.

--tune-no-review

For more information and examples about using the tune command, see “Using the

tune Command” (page 224).

After the alerts are analyzed, these results are compiled in a Tune Command Report.

This report contains a summary of the alerts generated and the suggested filters, if

applicable. The first section of this report contains a summary specifying the number

of unique alerts, duplicate alerts, and the names of the agents running the corresponding

schedule.

222 Tuning Schedules and Generating Alert Reports