HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

101

102

103

104

105

106

107

108

109

110

• File-related templates can generate alerts with file relative path names, instead of file full path

names. Specifying relative path names in template properties to filter these alerts is not safe,

because a relative path name can correspond to more than one file.

• A template that has the pathnames_to_watch property does not monitor changes to a file

from a hard link, unless the full path name of the hard link is specified in the property. However,

the creation of hard links to files are monitored. Similarly, for the pathnames_to_not_watch

property, modifications to a file from a hard link are not ignored unless the full path name of

the hard link is specified in the property.

• File monitoring templates do not monitor changes to files through symbolic links. Hence, you

must not specify full path names of symbolic links in the pathnames_to_watch and

pathnames_to_not_watch properties, unless the modification of the symbolic link itself

must be monitored.

• Alerts that specify an unknown program occur when the following three conditions are met:

The program is started before the HIDS surveillance schedule is started.◦

◦ The process terminates immediately after it performs an action that causes an alert.

◦ HIDS generates the alert after the process terminates.

• Alerts that specify an unknown program occur when the following two conditions are met:

The IDDS_MODE_NONBLOCK flag is set in IDDS_MODE in the ids.cf configuration file

(that is, IDDS_MODE is set to 3, the default value).

◦

◦ IDDS is dropping audit records because of a heavy system load.

Template Property Types

A template property has one of the following types:

• Type I: Path Names to [Not] Monitor

• Type II: Path Names/Programs Pairs

• Type III: User Names/UIDs

• Type IV: User Name/UID Pairs

• Type V: Network Triplets

• Type VI: Time Strings

• Type VII: Flags

• Type VIII: Scalars

• Type IX: Path Names / Integer Pairs

• Type X: String Patterns

• Type XI: String

Type I: Path Names to [Not] Monitor

The pathnames_to_watch and pathnames_to_not_watch template properties are of Type

I. Type I is a list of regular expressions that are separated by the pipe (|) character. A file or

directory is [not] monitored if its full path name matches a regular expression in the

pathnames_to_[not]_watch template property.

NOTE: If a file or directory path name matches a regular expression in both the

pathnames_to_watch and pathnames_to_not_watch property, then the file or the directory

is not monitored.

106 Templates and Alerts