HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

The syntax for the tune command when invoked from the idsadmin command line is as follows:

idsadmin [-v[vvv]] -t [OPTIONS]

The tune command can also be invoked from the interactive command-line interface as follows:

idsadmin> tune [-v[vvv]] -t [OPTIONS]

Table C-1 describes the various tuning options that you can use with the tune command.

Table C-1 The tune Command Options

DescriptionOption

A comma separated list of agents (host names) to tune. Specify all to tune

all the schedules running on the hosts listed in the sentinal.hosts file.

Specify managed to tune all the schedules running on the hosts that are

marked as managed. If this option is not specified, only the schedules running

on the hosts marked as managed by the GUI are tuned. For more information

on managed hosts, see “Managing Hosts” (page 83)

-a, --agent-hosts <host 1,

host 2... | all | managed>

The time of the oldest alert to tune. If this option is not specified, the tune

command starts analyzing alerts whose timestamp is one second after the

most recent instance of tuning. If this is the first time that the agent is being

tuned, then the tune command analyzes all the alerts in the alert.log file.

Specify the start date using the YYYYMMDD [HHMMSS] format. If YYYYMMDD

is specified but not HHMMSS, then HHMMSS defaults to 000000 (12:00:00 AM).

--start-date YYYYMMDD

[HHMMSS]

Specifies the full pathname of the editor to use to display the Tune Report

and the text schedule. If you do not specify this option, /usr/bin/vi is used

as the default editor. If you do not specify the full path of your preferred

editor, you must ensure that the path is set in the PATH environment variable.

-e, --editor

Do not prompt for reviewing tuning reports and tuned schedules. This option

automatically updates the in-disk copy of the schedule(s) and deploys them

to the agent(s) running these schedules. This option is useful for doing

periodic, scheduled, non-interactive tunes such as from a cron job.

--tune-no-review

For more information and examples about using the tune command, see “Using the tune

Command” (page 183).

After the alerts are analyzed, these results are compiled in a Tune Command Report. This report

contains a summary of the alerts generated and the suggested filters, if applicable. The first

section of this report contains a summary specifying the number of unique alerts, duplicate alerts,

and the names of the agents running the corresponding schedule.

NOTE: If you have specified the --tune-no-review option with the tune command, this

report is not displayed. The tune command automatically modifies and deploys the schedule

without prompting for reviews.

The Tune Command Report contains the following additional sections:

• “Section Related to File Related Alerts.”

• “Section Related to Aggregated Alerts.”

• “Section Related to System Alerts.”

Section Related to File Related Alerts

The summary for file related alerts contains the following fields:

<Action> <User> <Severity> <Date> <Count> [[File

Filter]] [[Program Filter]] [[Filter Comment]]

Where:

• <Attacking Program> is the name of the program that generated the alert

• <Filter Type> is set for one of the following:

Tuning Schedules Using the idsadmin Command 181