HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

Limitations

This section describes the general limitations of the templates. Template specific limitations are

discussed in the respective template sections.

Following are some general limitations:

• No file monitoring templates can filter alerts based on whether a file is local or remote (NFS).

• File monitoring templates, by design, do not detect whether the contents of a file were

modified.

• File-related templates can generate alerts with file relative path names, instead of file full

path names. Specifying relative path names in template properties to filter these alerts is

not safe, because a relative path name can correspond to more than one file.

• A template that has the pathnames_to_watch property does not monitor changes to a

file from a hard link, unless the full path name of the hard link is specified in the property.

However, the creation of hard links to files are monitored. Similarly, for the

pathnames_to_not_watch property, modifications to a file from a hard link are not

ignored unless the full path name of the hard link is specified in the property.

• File monitoring templates do not monitor changes to files through symbolic links. Hence,

you must not specify full path names of symbolic links in the pathnames_to_watch and

pathnames_to_not_watch properties, unless the modification of the symbolic link itself

must be monitored.

• Alerts that specify an unknown program occur when the following three conditions are met:

— The program is started before the HIDS surveillance schedule is started.

— The process terminates immediately after it performs an action that causes an alert.

— HIDS generates the alert after the process terminates.

• Alerts that specify an unknown program occur when the following two conditions are met:

— The IDDS_MODE_NONBLOCK flag is set in IDDS_MODE in the ids.cf configuration file

(that is, IDDS_MODE is set to 3, the default value).

— IDDS is dropping audit records because of a heavy system load.

Template Property Types

A template property has one of the following types:

• Type I: Path Names to [Not] Monitor

• Type II: Path Names/Programs Pairs

• Type III: User Names/UIDs

• Type IV: User Name/UID Pairs

• Type V: Network Triplets

• Type VI: Time Strings

• Type VII: Flags

• Type VIII: Scalars

• Type IX: Path Names / Integer Pairs

• Type X: String Patterns

• Type XI: String

Type I: Path Names to [Not] Monitor

The pathnames_to_watch and pathnames_to_not_watch template properties are of Type

I. Type I is a list of regular expressions that are separated by the pipe (|) character. A file or

directory is [not] monitored if its full path name matches a regular expression in the

pathnames_to_[not]_watch template property.

Limitations 115