HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

Table C-2 Reporting Options Supported by idsadmin (continued)

DescriptionOption

Comma-separated list of alert fields to print in a report, where:

• hostname — The hostname of the agent that generated the alert.

• ipaddr — The host IP address of the agent that generated the

alert.

• template — The template that generated the alert.

• localdate — The local date and time of the event that triggered

the alert.

• utcdate — The UTC date and time of the event that triggered

the alert.

• utcsecs — The UTC time of the event that triggered the alert.

• severity — The alert severity.

• count — Number of times this alert was generated. For aggregated

alerts, this field contains the number of alerts that were aggregated

into a single alert.

• attacker — Program that triggered the attack for file related

alerts. User that triggered the attack for login/logout or su alerts.

For aggregated alerts, the program that triggered the alerts and/or

whose forked programs triggered the alerts.

• target — For file related alerts, the pathname of the targeted file.

For login/logout, or su alerts, the targeted user account. For

aggregated alerts, set to {multiple targets}.

• event — The event that triggered the target. For aggregated alerts,

this field is set to {multiple targets}.

• user — The user (ruid:rgid:euid:egid) that triggered the alert.

• summary — Alert summary.

• details — Alert details.

By default, all fields (except the template field) are displayed.

--alert-fields

Specifies that only alerts with the specified severity levels are reported.

By default, alerts of all severity levels are included in the alert report.

If this option is not specified, alerts of all severity levels are included

in the report.

--alert-severities critical |

severe | moderate | all

Comma separated list of email addresses to which alert reports are

sent.

--email-to EMAIL_ADDRESS1,

EMAIL_ADDRESS2, ...

Used with the --email-to reporting options. Text of an email

message containing a report. Text must be enclosed in double quotes

if it contains white spaces. This option can be specified only from the

command line and not from the interactive menu prompt.

--email-message TEXT

Used with the --email-to reporting options. Subject line of an email

message containing a report. Text must be enclosed in double quotes

if it contains white spaces. This option can be specified only from the

command line and not from the interactive menu prompt.

--email-subject TEXT

Specifies that only alerts generated on or before the specified date are

reported. The date/time is interpreted as local time on the host on

which idsadmin is run, not as the local time on agent host(s). The

default is the current time. If YYYYMMDD is specified but not HHMMSS,

then HHMMSS defaults to 235959 (11:59:59 PM).

--end-date YYYYMMDD[HHMMSS]

Used with the --report-format (with raw option) reporting option.

Specifies the delimiter character when printing alert reports in raw

format. The default is the pipe (|) character.

--report-delimiter CHAR

Specifies the format of the generated report. The default is html.

--report-format html | txt | raw

186 Tuning Schedules and Generating Alert Reports