HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

NOTE: If you have specified the --tune-no-review option with the tune command, this

report is not displayed. The tune command automatically modifies and deploys the schedule

without prompting for reviews.

The Tune Command Report contains the following additional sections:

• “Section Related to File Related Alerts.”

• “Section Related to Aggregated Alerts.”

• “Section Related to System Alerts.”

Section Related to File Related Alerts

The summary for file related alerts contains the following fields:

<Action> <User> <Severity> <Date> <Count> [[File

Filter]] [[Program Filter]] [[Filter Comment]]

Where:

• <Attacking Program> is the name of the program that generated the alert

• <Filter Type> is set for one of the following:

“X” for exact match. This means that the filter is a regular expression that matches one

and only one file pathname.

◦

◦ “R” for regular expression match. This means that regular expression wildcard characters

are used to match one or more file pathnames.

◦ “” (empty string) for no filter. This mean that no filter will be generated for this alert.

• <Attacked File> is the absolute name of the file under attack.

• <Action> is the action (event) for which the alert was generated.

• <User> is the euid:egid:ruid:rgid of the user who generated the alert.

• <Severity> is the severity level of the alert. It can be 1 (critical), 2 (severe), or 3 (moderate).

• <Date> is the date when the <Action> triggered the alert.

• <Count> is the number of duplicate alerts of this type.

• [File Filter] is an optional filter generated for pathname_X template property.

• [Program Filter] is an optional filter generated for program_X template property.

• [Filter Comment] can be set to a comment explaining the choice of filter. If there is no filter, it

explains the reason for not having a filter.

• <Template Code> is for internal use and must not be modified.

Section Related to Aggregated Alerts

The summary for aggregated alerts contains the following fields:

<Ancestor> <Number of alerts> <user> <highest

severity> <date> <count>

Where:

• <Ancestor> is the top-level program that caused the alert in a multi-process alert.

• <Number of alerts> is the number of alerts aggregated in the meta alert.

• <user> is the user who generated the alert.

• <highest severity> is the highest severity among all the alerts in the meta alert.

• <date> is the time when the first alert in the meta alert was generated.

• <count> is the number of occurrences of the same meta alert.

Tuning Schedules Using the idsadmin Command 173