HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

Table 19 File/Directories Template Properties
Default ValueTypeName
^/.rhosts$ | ^/\.shosts$ | ^/\.profile$ | ^/bin/ | ^/sbin/
| ^/usr/bin/ | ^/usr/sbin/ | ^/usr/local/bin/ | ^/lib/
|^/usr/lib/ | ^/usr/local/lib/ |
^/stand/build/dlkm\.vmunix_test/ | ^/stand/vmunix$ |
^/stand/kernrel$ | ^/stand/bootconf$ | ^/stand/system$ |
^/dev/dsk/ | ^/dev/rdsk/ | ^/dev/rmt/ | ^/dev/rsdsi/ |
^/dev/vg[0-9]*/ | ^/dev/idds$ | ^/usr/dt/config/Xconfig$
| ^/tcb/files/devassign$ | ^/etc/rc\.config\.d/ |
^/etc/opt/sec_mgmt/bastille/ | ^/etc/rbac/ | ^/etc/cmpt/
| ^/etc/passwd$ | ^/etc/shadow$ | ^/etc/group$ |
^/etc/hosts\.equiv$ | ^/etc/hosts\.allow$ |
^/etc/hosts\.deny$ | ^/etc/inetd\.conf$ |
^/etc/auto_master$ | ^/etc/csh\.login$ |
^/etc/ftpd/ftpaccess$ | ^/etc/ftpd/ftpusers$ | ^/etc/inittab$
| ^/etc/opt/ipf/ipf\.conf$ | ^/etc/issue$ | ^/etc/motd$ |
^/etc/mnttab$ | ^/etc/named\.conf$ | ^/etc/securetty$ |
^/etc/default/security$ | ^/etc/mail/sendmail\.cf$ |
^/etc/shells$ | ^/etc/zprofile$ | ^/etc/nsswitch\.conf$ |
^/etc/pam\.conf$ | ^/etc/profile$ | ^/etc/acps\.conf$ |
^/etc/default/security$ | ^/etc/security\.dsc$ |
^/etc/opt/ids/ | ^/opt/ | ^/var/opt/ids/ | ^/opt/ids/ |
^/sbin/init\.d/idsagent$
Ipathnames_to_watch
<empty>Ipathnames_to_not_watch
<empty>IIpathnames_0
<empty>IIprograms_0
^/etc/mnttab$ & ^/etc/fstab$ | ^/dev/vg[0-9]*/IIpathnames_1
^/usr/bin/nfsstat$ & ^/usr/sbin/syncer$ & ^/sbin/mount$
& ^/sbin/umount$ & ^/sbin/fs/.*/mount$ &
^/opt/cifsclient/bin/cifsmount$ & ^/sbin/fs/.*/umount$ &
^/opt/cifsclient/bin/cifsumount$ & ^/usr/bin/df$ &
^/usr/bin/bdf$ | ^/sbin/.*display$
IIprograms_1
<empty>IIpathnames_X
<empty>IIprograms_X
Properties
A brief description about the configurable properties are enlisted below:
pathnames_to_watch Path names of files to be monitored for modification.
pathnames_to_not_watch Path names of files that can be safely ignored for modification,
regardless of which program modifies them.
pathnames_X, programs_X Use these properties to filter out alerts generated when a
particular program modifies a particular file. See “Type II:
Path Names/Programs Pairs (page 108) for a detailed
description of these property pairs.
Alerts generated by this template
File Being Modified
Table A-10 lists the alert properties this template generates and forwards to a response program
when a file is modified.
122 Templates and Alerts