HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

NOTE: No filters are generated for system alerts, and they cannot be filtered using the idsadmin

tune command.

NOTE: Duplicate failed login and su attempts can be suppressed using the

max_failed_[login,su], warning_interval, and fail_interval template properties.

Using the tune Command

The following examples show different ways of using the tune command to tune your schedules:

Example C-1 To tune schedules for two agents without any user interaction

% idsadmin –t –a abc.hp.com, xyz.hp.com --tune-no-review

This command (invoked from a shell command line) analyzes alerts for the two agents

(abc.hp.com, and xyz.hp.com) generated since the timestamp of the last alert to be tuned. The

tune command analyzes the alerts, and automatically updates and deploys the updated schedule

on these agents. No user interaction is required.

Example C-2 To tune schedules for two agents after a given date, with options to review and modify

the Tune Command Report and the schedule

% idsadmin -t –a abc.hp.com, xyz.hp.com --start-date

20070101120000

This command (invoked from a shell command line) analyzes alerts for the two agents (abc.hp.com

and xyz.hp.com) starting from 1st January 2007 12:00 am. These alerts are then displayed in a

report format using the default editor, vi. You can review and modify the report, and save the

changes. The text schedule is displayed, and can be modified if needed and then deployed for

these two agents.

Example C-3 To tune schedules for all agents in the sentinal.hosts file, and to review and

modify the Tune Command Report and the schedule

idsadmin> tune –a all

This command (invoked from the idsadmin interactive command prompt) analyzes alerts for

all agents listed in the sentinal.hosts file that were generated since the timestamp of the last

alert to be tuned. These alerts are then displayed in a report format using the default editor, vi.

Administrators can review and modify the report, and save the changes. The text schedule is

displayed, and administrators can modify the schedule if needed and then deploy the schedule

for these two agents.

Step 2: Modifying the Filters in the Tune Command Report

Administrators can review the alerts in the Tune Command Report and modify the filters to only

filter those alerts deemed safe to ignore. When modifying or setting filters, make sure to mark

an alert with an ‘X’ (when specifying only one file pathname), or ‘R’ (when specifying a filter

with regular expression wildcard characters to match one or more file pathnames). Save the file

when done.

NOTE: To prevent accidental modifications, the Tune Command Report is created with read-only

permissions. To modify the Tune Command Report, you must change the permissions of the

report file.

To unmark an alert, you can delete the ‘X’ or ‘R’, or replace the ‘X’ or ‘R’ with a blank space.

The marked alerts are filtered by updating the corresponding schedules, using the appropriate

filters.

Tuning Schedules Using the idsadmin Command 183