Manualshelf

HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
61626364656667686970
7. In the Select Times panel, choose the hour blocks in which the group should run.
This is a list, so you can use left-click to pick a hour, Shift-left-click to add in all intervening
hours, and Ctrl-left-click to add or remove individual hours. For more information, see “Selecting
with the Mouse (page 92).
You can also use:
All to select all 24 hours
None to deselect all 24 hours
For example, you could select 01:00 - 04:59, 07:00 - 07:59, and 09:00 - 16:59.
8. As days and times are selected, the day-time matrix in the Schedule Summary panel is filled
in with the names of the active groups in each box. The matrix shows the sum of all the
timetables for all the groups in the selected surveillance schedule. Boxes with at least one
active group are colored green. The Schedule Summary panel is read-only.
NOTE: A schedule group cannot run on different hours on different days. To do this, copy the
group and schedule the identical groups to separate times and days.
Canceling Changes
The Cancel button allow you to delete all the changes you have made to group timetables. The
button is greyed out when there is nothing to cancel.
NOTE: If you switch to the Configure tab, the changes are set and the button is greyed out when
you return to the Timetable tab.
Saving a Surveillance Schedule
See “Saving a Surveillance Schedule” (page 56).
Configuring Alert Aggregation
Alert aggregation can reduce the overall number of alerts for better manageability, while maintaining
a detailed description of each potential intrusive activity.
Alert aggregation is a surveillance schedule feature that, when enabled, aggregates file related
alerts triggered by the same process or by multiple related processes. When a surveillance schedule
has alert aggregation enabled, thousands of file related real-time alerts triggered by a process or
group of related processes can be aggregated into a single aggregated alert. Alert aggregation
facilitates the administrator’s task of analyzing alerts by reducing the total number of alerts issued.
For example, without alert aggregation, a rm /etc/* command generates multiple real-time
alerts for deleting files that are specified as read-only by the Modification of files/directories
detection template. With alert aggregation enabled, a single aggregated alert is issued to capture
the deletion of all the files by the same process executing the rm command. Alert aggregation can
be configured to aggregate alerts triggered by a process running a specified program and by the
process descendent processes (that is, child process, grandchild process, and so on) . For example,
installing a bundle using the swinstall command can trigger many alerts by a process running
swagent in addition to the alerts triggered by swagents descendent processes. The swagent
descendent processes run commands in the control scripts associated with the bundle. This feature,
therefore, allows all alerts triggered by a single action (installing software) to be issued in a single
aggregated alert instead of being issued as potentially hundreds or thousands of real-time alerts
triggered by multiple processes. When alert aggregation is enabled, the following alerts are issued
Configuring Alert Aggregation 67