HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

101

102

103

104

105

106

107

108

109

110

The following line in the template configuration file defines a property called

pathnames_to_not_watch, so that the /var/log/cron and /etc/passwd files are not

monitored for alerts:

pathnames_to_not_watch | ^/var/log/cron$ | ^/etc/passwd$

NOTE: When specifying the template property value in the Schedule Manager window, enter

only the template property value ^/var/log/cron$ ^/etc/passwd$. Do not enter the

property name and the first pipe character.

When specifying values for this property, be aware of path names that contain symbolic links. For

example, to monitor the csh executable, specify the complete path name /usr/bin/csh, assuming

that /bin is a symbolic link to /usr/bin. HIDS attempts to match using fully resolved path names.

Use the regular expression anchor characters ^ and $ to denote the start and end of the file path

name.

The following line defines a property named pathnames_to_watch that specifies monitoring

all files or directories with starting path name /var/t substring or the path names that start with

the /opt string:

pathnames_to_watch | /var/t.* | ^/opt

For examples of regular expressions, see “UNIX Regular Expressions ” (page 105).

Type II: Path Names/Programs Pairs

These property types enable users to specify combinations of file path names and program path

names. Alerts that are normally generated for files specified in the pathnames_to_watch property

are suppressed when the files are modified by programs specified by this property type.

Path names and programs are specified as regular expressions the same way as

pathnames_to_[not]_watch properties are specified. See the default property settings for the

kernel templates for examples of path names and program pair specifications.

Path names and program properties come in pairs. There can be n > 0 pairs in a configuration

file. For each member of a pair, its property values consist of a set of m > 0 lists. For the path

name member of a pair, each property value consists of a list of p > 0 regular expressions separated

by ampersand (&) characters. For the corresponding program member of a pair, each property

value is a list of q > 0 regular expressions as its value. In general, p is not equal to q. Following

is an example of a valid property pair:

pathnames_1 | f1 & f2 | f3 & f4 & f5 | f6

programs_1 | p1 & p2 & p3 | p3 & p4 | p5

With these two lines, an alert is not generated for file f1 if the event was triggered by any of the

p1, p2, or p3 programs. Similarly, f2 is not monitored if the event was triggered by p1, p2,or

p3. Analogously, an alert is suppressed for f3, f4, and f5 if the alert is triggered by program

p3 or p4.

NOTE: The pathnames_0/programs_0 pair is a special case in which alerts for files specified

in pathnames_0 are not generated when the corresponding programs in programs_0 or in any

of the program’s child processes or grandchild processes trigger the alert. For example, for the

Modification of Files/Directories template, if pathnames_0 contains ^/opt/to specify the /opt

directory and programs_0 contains/usr/sbin/swinstall, then alerts normally generated

for modifications to files under /opt are suppressed when the files are modified by either

swinstall, any of its child processes (such as control scripts) or grandchild processes (such as

commands invoked in a control script).

• The following set of two lines:

pathnames_1 | f1 & f2

programs_1 | p1 & p2 & p3

Is equivalent to the following set of four lines:

pathnames_1 | f1

programs_1 | p1 & p2 & p3

Template Property Types 107