HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

101

102

103

104

105

106

107

108

109

110

Limitations

This section describes the general limitations of the templates. Template specific limitations are

discussed in the respective template sections.

Following are some general limitations:

• No file monitoring templates can filter alerts based on whether a file is local or remote (NFS).

• File monitoring templates, by design, do not detect whether the contents of a file were modified.

• File-related templates can generate alerts with file relative path names, instead of file full path

names. Specifying relative path names in template properties to filter these alerts is not safe,

because a relative path name can correspond to more than one file.

• A template that has the pathnames_to_watch property does not monitor changes to a file

from a hard link, unless the full path name of the hard link is specified in the property. However,

the creation of hard links to files are monitored. Similarly, for the pathnames_to_not_watch

property, modifications to a file from a hard link are not ignored unless the full path name of

the hard link is specified in the property.

• File monitoring templates do not monitor changes to files through symbolic links. Hence, you

must not specify full path names of symbolic links in the pathnames_to_watch and

pathnames_to_not_watch properties, unless the modification of the symbolic link itself

must be monitored.

• Alerts that specify an unknown program occur when the following three conditions are met:

The program is started before the HIDS surveillance schedule is started.◦

◦ The process terminates immediately after it performs an action that causes an alert.

◦ HIDS generates the alert after the process terminates.

• Alerts that specify an unknown program occur when the following two conditions are met:

The IDDS_MODE_NONBLOCK flag is set in IDDS_MODE in the ids.cf configuration file

(that is, IDDS_MODE is set to 3, the default value).

◦

◦ IDDS is dropping audit records because of a heavy system load.

Template Property Types

A template property has one of the following types:

• Type I: Path Names to [Not] Monitor

• Type II: Path Names/Programs Pairs

• Type III: User Names/UIDs

• Type IV: User Name/UID Pairs

• Type V: Network Triplets

• Type VI: Time Strings

• Type VII: Flags

• Type VIII: Scalars

• Type IX: Path Names / Integer Pairs

• Type X: String Patterns

• Type XI: String

Type I: Path Names to [Not] Monitor

The pathnames_to_watch and pathnames_to_not_watch template properties are of Type

I. Type I is a list of regular expressions that are separated by the pipe (|) character. A file or

Limitations 107