HP-UX Host Intrusion Detection System Version 4.2 Administration Guide
NOTE: All schedule files must be located in /etc/opt/ids/schedules.
Surveillance Schedule Text File
The surveillance schedule text file has two main sections:
• Surveillance Schedule Section: A section that defines global properties of a schedule that
are not specific to any Surveillance Group or Template. There can only be one Surveillance
Schedule section in a surveillance schedule text file.
• Surveillance Group Section: A subsection of the Surveillance Schedule section that defines
properties for a Surveillance Group. There can be one or more Surveillance Group sections
in a Surveillance Schedule section.
NOTE: Template information for the various groups are located in the group files in /etc/
opt/ids/schedules/groups.
WARNING! Schedule text files found on agent hosts in /var/opt/ids/schedule should
not be copied in /etc/opt/ids/schedules on the admin host because the schedule file
in /var/opt/ids/schedule is expanded to contain the template properties, while the
schedule files on the admin host in /etc/opt/ids/schedules are not. The idsadmin
command and GUI will not be able to parse a schedule that is in expanded form.
Surveillance Schedule Section
This section contains the following keywords and syntax:
SCHEDULE <schedule name>
GLOBALS <Schedule Global Properties>
ENDGLOBALS
NAME <Surveillance Group Subsection>
NAME <Surveillance Group Subsection>...
ENDSCHEDULE
This section is surrounded by the SCHEDULE and ENDSCHEDULE keywords and mark the
beginning and end of an HIDS text schedule. The name following the SCHEDULE keyword is the
name of the schedule that is reported by the agent to the System Manager when it is running.
The name of the schedule must consist of an alphanumeric character followed by one or more
alphanumeric characters, an underscore (_), or a hyphen (-). This section contains a global
properties subsection and one or more Surveillance Group subsections. The global properties
subsection is bracketed by the GLOBALS and ENDGLOBALS keywords.
The following global properties are defined within the GLOBALS and ENDGLOBALS keywords :
• aggregation: The aggregation property is an alert aggregation flag that is used to either
enable or disable alert aggregation. The property value is specified using the syntax described
in “Type VII: Flags” (page 120) and is equivalent to the Schedule Manager Alert Aggregation
option box described in “Configuring Alert Aggregation” (page 72). The property set to “1”
is equivalent to the Alert Aggregation option box that is selected in the GUI Schedule
Manager. The property set to "0" is equivalent to the Alert Aggregation option box that is
not selected.
• rt_alerts: The rt_alerts property is an alert aggregation flag that is used to enable or
disable the generation of real time alerts when alert aggregation is enabled. The property
value is specified using the syntax described in “Type VII: Flags” (page 120) and is equivalent
to the Schedule Manager Real Time Alerts option box described in “Configuring Alert
Aggregation” (page 72). The property set to “1” is equivalent to the Real Time Alerts option
box being checked. The property set to "0" is equivalent to the Real Time Alerts option box
not being checked.
• aggr_tuples: The aggr_tuples property is a set of alert aggregation tuples that can be
configured to aggregate alerts triggered by a process running a specified program with alerts
triggered by the process’ descendent processes. The property tuple values are specified
198 The Surveillance Schedule Text File