HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

Table 19 File/Directories Template Properties (continued)

Default ValueTypeName

^/etc/shells$ | ^/etc/zprofile$ | ^/etc/nsswitch\.conf$ |

^/etc/pam\.conf$ | ^/etc/profile$ | ^/etc/acps\.conf$ |

^/etc/default/security$ | ^/etc/security\.dsc$ |

^/etc/opt/ids/ | ^/opt/ | ^/var/opt/ids/ | ^/opt/ids/ |

^/sbin/init\.d/idsagent$

<empty>Ipathnames_to_not_watch

<empty>IIpathnames_0

<empty>IIprograms_0

^/etc/mnttab$ & ^/etc/fstab$ | ^/dev/vg[0-9]*/IIpathnames_1

^/usr/bin/nfsstat$ & ^/usr/sbin/syncer$ & ^/sbin/mount$

& ^/sbin/umount$ & ^/sbin/fs/.*/mount$ &

IIprograms_1

^/opt/cifsclient/bin/cifsmount$ & ^/sbin/fs/.*/umount$ &

^/opt/cifsclient/bin/cifsumount$ & ^/usr/bin/df$ &

^/usr/bin/bdf$ | ^/sbin/.*display$

<empty>IIpathnames_X

<empty>IIprograms_X

Properties

A brief description about the configurable properties are enlisted below:

pathnames_to_watch Path names of files to be monitored for modification.

pathnames_to_not_watch Path names of files that can be safely ignored for modification,

regardless of which program modifies them.

pathnames_X, programs_X Use these properties to filter out alerts generated when a

particular program modifies a particular file. See “Type II:

Path Names/Programs Pairs” (page 107) for a detailed

description of these property pairs.

Alerts generated by this template

File Being Modified

Table A-10 lists the alert properties this template generates and forwards to a response program

when a file is modified.

Table 20 File Being Modified Alert Properties

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse

Program

Argument

Unique code assigned to

template

2IntegerTemplate codeargv[1]

Template version<version>IntegerVersionargv[2]

Alert severity2 if file is truncated, potentially

truncated, deleted, or renamed.3 if file’s

IntegerSeverityargv[3]

mode or ownership is modified, if file is

created, or if file is opened for writing

or appending.

UTC time in number of

seconds since the epoch

when file was modified

<secs>IntegerUTC timeargv[4]

120 Templates and Alerts