HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
UNIX Regular Expressions
UNIX regular expressions are supported to specify template directory and file properties.
Template properties that specify path names (for example, pathnames_to_watch,
pathnames_to_not_watch, pathnames_X, programs_X) are interpreted as UNIX regular
expressions. For a description of regular expressions and pattern matching notations, see regexp(
5). To match a specific file, use the anchor characters ^ and $ (for example, ^/etc/passwd$).
To match any file in a particular directory, use the ^ anchor character and a trailing backslash
(for example,^/stand/).
NOTE: You must correctly specify path names using regular expressions. For instance, if the
regular expression /var/t.* is changed to /var/t*, then the new regular expression matches
any path name that contains the substring /var/, because the * operator matches 0 or more
occurrences of the t character. Similarly, if the regular expression ^/opt/ is changed to /opt,
the new regular expression is significantly different and much more encompassing. The regular
expression /opt matches any path name that contains the /opt substring, including those path
names that do not start with /opt, such as /dir1/opt2/file1.
The following examples illustrate the UNIX regular expressions:
• The regular expression /home matches any file that contains /home in its path name, such
as /dir1/home, /dir1/hometown, /dir1/home2, and /home2/file1.
• The regular expression ^/home matches any file with a path name that starts with /home,
such as /hometown,/home/file1, and/home2/file2.
• The regular expression ^/home/ matches any file under the /home directory, such as /home/
file1 and /home/dir1/file2.
• The regular expression ^/home$ exactly matches the /home directory or file.
• The regular expression /.rhosts matches any file on the system that contains a slash followed
by any character that is then followed by rhosts, such as /dir1/arhosts, /1rhosts,
/.rhosts, and /home/<user>/.rhosts.
• The regular expression /\.rhosts$ matches any .rhosts file on the system, such as
/.rhosts and/home/<user>/.rhosts. Using the backslash character escapes the special
dot (.) character.
• The regular expression ^/\.rhosts$ exactly matches the .rhosts file in the root directory.
• The regular expression ^/home/[^/]*/\.rhosts$ matches all the /.rhosts files in the
home directories.
NOTE: The special pattern-matching scheme in previous versions of HIDS is no longer supported.
When you attempt to match the pipe (|), ampersand (&), or comma (,) characters in a regular
expression, you must escape those special characters using a backslash (\) character, because
these three characters also have special meaning, they are used as delimiters by the parser of the
template property syntax. For example, a path name of a\|b has the backslash removed by the
template property parser before being passed as a regular expression to the regular expression
parser (for example, as a|b). To match a path name that contains one of these three characters,
you must escape the backslash and the special character itself. For example, a\\\|b passes to
the regular expression parser as a\|b). When including a bracket expression (for example,
[a-z,A-Z,0-9]) in a regular expression, any commas in the bracket expression must be escaped.
Limitations
This section describes the general limitations of the templates. Template specific limitations are
discussed in the respective template sections.
Following are some general limitations:
• No file monitoring templates can filter alerts based on whether a file is local or remote (NFS).
• File monitoring templates, by design, do not detect whether the contents of a file were modified.
UNIX Regular Expressions 105