HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
NOTE: The pathnames_0/programs_0 pair is a special case in which alerts for files specified
in pathnames_0 are not generated when the corresponding programs in programs_0 or in any
of the program’s child processes or grandchild processes trigger the alert. For example, for the
Modification of Files/Directories template, if pathnames_0 contains ^/opt/to specify the /opt
directory and programs_0 contains/usr/sbin/swinstall, then alerts normally generated
for modifications to files under /opt are suppressed when the files are modified by either
swinstall, any of its child processes (such as control scripts) or grandchild processes (such as
commands invoked in a control script).
• The following set of two lines:
pathnames_1 | f1 & f2
programs_1 | p1 & p2 & p3
Is equivalent to the following set of four lines:
pathnames_1 | f1
programs_1 | p1 & p2 & p3
pathnames_2 | f2
programs_2 | p1 & p2 & p3
Or to the following set of six lines:
pathnames_1 | f1 & f2
programs_1 | p1
pathnames_2 | f1 & f2
programs_2 | p2
pathnames_3 | f1 & f2
programs_3 | p3
• However, it is not equal to the following lines:
pathnames_1 | f1
programs_1 | p1 & p2 & p3
pathnames_2 | f2
programs_2 | p1 & p3
This provides granularity for specifying their file- monitoring dependencies. That is, in the last
example an alert for f2 is generated if the event was triggered by p2, in contrast to what happens
when any of the three previous examples are used.
Template Property Types 109