Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
221222223224225226227228229230
NOTE: If you have specified the --tune-no-review option with the tune command,
this report is not displayed. The tune command automatically modifies and deploys
the schedule without prompting for reviews.
The Tune Command Report contains the following additional sections:
Section Related to File Related Alerts.”
Section Related to Aggregated Alerts.”
Section Related to System Alerts.”
Section Related to File Related Alerts
The summary for file related alerts contains the following fields:
<Attacking Program> <Filter Type> <Attacked File>
<Action> <User> <Severity> <Date> <Count> [[File
Filter]] [[Program Filter]] [[Filter Comment]]
<Template Code>
Where:
<Attacking Program> is the name of the program that generated the alert
<Filter Type> is set for one of the following:
X for exact match. This means that the filter is a regular expression that
matches one and only one file pathname.
R for regular expression match. This means that regular expression wildcard
characters are used to match one or more file pathnames.
“” (empty string) for no filter. This mean that no filter will be generated for this
alert.
<Attacked File> is the absolute name of the file under attack.
<Action> is the action (event) for which the alert was generated.
<User> is the euid:egid:ruid:rgid of the user who generated the alert.
<Severity> is the severity level of the alert. It can be 1 (critical), 2 (severe), or 3
(moderate).
<Date> is the date when the <Action> triggered the alert.
<Count> is the number of duplicate alerts of this type.
[File Filter] is an optional filter generated for pathname_X template property.
[Program Filter] is an optional filter generated for program_X template property.
[Filter Comment] can be set to a comment explaining the choice of filter. If there
is no filter, it explains the reason for not having a filter.
<Template Code> is for internal use and must not be modified.
Section Related to Aggregated Alerts
The summary for aggregated alerts contains the following fields:
<Ancestor> <Number of alerts> <user> <highest
severity> <date> <count>
Tuning Schedules Using the idsadmin Command 223