HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

The syntax for the tune command when invoked from the idsadmin command line is as follows:

idsadmin [-v[vvv]] -t [OPTIONS]

The tune command can also be invoked from the interactive command-line interface as follows:

idsadmin> tune [-v[vvv]] -t [OPTIONS]

Table 50 describes the various tuning options that you can use with the tune command.

Table 50 The tune Command Options

DescriptionOption

A comma-separated list of host names or IP

addresses of agent(s) to monitor and manage,

if an agent is configured to monitor HP-UX

Containers (HP-UX SRP). Specify the comma-

separated list of Container (SRP) names within

square brackets appended to host name or

IP address of agent separated by colon.

Specify all to tune all the schedules running

on the hosts listed in the sentinal.hosts

file. Specify managed to tune all the

schedules running on the hosts that are

marked as managed. If this option is not

specified, only the schedules running on the

hosts marked as managed by the GUI are

tuned. For more information on managed

hosts, see “Managing Hosts” (page 78). All

the Containers configured in the schedule file

will be tuned if there are no Containers (SRPs)

specified for a schedule configured with

Containers.

-a, --agent-hosts

host1:[srp1,srp2,......],host2:[srp1,srp2,......]...|

all | managed

The time of the oldest alert to tune. If this

option is not specified, the tune command

starts analyzing alerts whose timestamp is

one second after the most recent instance of

tuning. If this is the first time that the agent is

being tuned, then the tune command

analyzes all the alerts in the alert.log file.

Specify the start date using the YYYYMMDD

[HHMMSS] format. If YYYYMMDD is specified

but not HHMMSS, then HHMMSS defaults to

000000 (12:00:00 AM).

--start-date YYYYMMDD [HHMMSS]

Specifies the full pathname of the editor to

use to display the Tune Report and the text

schedule. If you do not specify this option,

/usr/bin/vi is used as the default editor.

If you do not specify the full path of your

preferred editor, you must ensure that the path

is set in the PATH environment variable.

-e, --editor

Do not prompt for reviewing tuning reports

and tuned schedules. This option

automatically updates the in-disk copy of the

schedule(s) and deploys them to the agent(s)

running these schedules. This option is useful

for doing periodic, scheduled, non-interactive

tunes such as from a cron job.

--tune-no-review

For more information and examples about using the tune command, see “Using the tune

Command” (page 174).

After the alerts are analyzed, these results are compiled in a Tune Command Report. This report

contains a summary of the alerts generated and the suggested filters, if applicable. The first section

of this report contains a summary specifying the number of unique alerts, duplicate alerts, and the

names of the agents running the corresponding schedule.

172 Tuning Schedules and Generating Alert Reports