HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

• Start with a single template and then see how many alerts are generated. Determine

if any of these are security events, and if not, modify the template properties to

filter the spurious alerts.

• You may find software that is behaving incorrectly, such as writing to /opt

(considered a read-only file system), creating world-writable lock files (a security

issue), saving temporary data in /etc (should only be for configuration data).

Contact the software vendor about these programs.

Setting Surveillance Schedule Timetables

Once you have defined a surveillance schedule with its complement of surveillance

groups and detection templates, you need to specify the days and times that the groups

will be active when the schedule is activated on an agent host. Use this procedure to

establish and change the times a schedule runs.

NOTE: You cannot reset the timetable of a surveillance group if it is in a surveillance

schedule that is currently scheduled or running on an agent host. For more information,

see “Using the System Manager Screen” (page 57).

IMPORTANT: If one or more groups end and one or more groups start in adjacent

time slots, there will be a several second interval between the end of the former groups

and the start of the latter groups in which none of the groups will be running. If a group

is scheduled across adjacent time slots, it is not interrupted.

IMPORTANT: While a schedule may contain more than 10 groups, it may have no

more than 10 groups active in any one-hour time slot.

Setting Surveillance Schedule Timetables 85