HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
Surveillance Schedule Text File
The surveillance schedule text file has two main sections:
• Surveillance Schedule Section: A section that defines global properties of a schedule that are
not specific to any Surveillance Group or Template. There can only be one Surveillance
Schedule section in a surveillance schedule text file.
• Surveillance Group Section: A subsection of the Surveillance Schedule section that defines
properties for a Surveillance Group. There can be one or more Surveillance Group sections
in a Surveillance Schedule section.
NOTE: Template information for the various groups are located in the group files in /etc/
opt/ids/schedules/groups.
WARNING! Schedule text files found on agent hosts in /var/opt/ids/schedule should
not be copied in /etc/opt/ids/schedules on the admin host because the schedule file
in /var/opt/ids/schedule is expanded to contain the template properties, while the
schedule files on the admin host in /etc/opt/ids/schedules are not. The idsadmin
command and GUI will not be able to parse a schedule that is in expanded form.
Surveillance Schedule Section
This section contains the following keywords and syntax:
SCHEDULE <schedule name>
GLOBALS <Schedule Global Properties>
ENDGLOBALS
[SRP]
[NAME <SRP name>]
NAME <Surveillance Group Subsection>
NAME <Surveillance Group Subsection>...
[ENDSRP]
ENDSCHEDULE
This section is surrounded by the SCHEDULE and ENDSCHEDULE keywords and mark the beginning
and end of an HIDS text schedule. The name following the SCHEDULE keyword is the name of the
schedule that is reported by the agent to the System Manager when it is running. The name of the
schedule must consist of an alphanumeric character followed by one or more alphanumeric
characters, an underscore (_), or a hyphen (-). This section contains a global properties subsection
and one or more Surveillance Group subsections. The global properties subsection is bracketed
by the GLOBALS and ENDGLOBALS keywords.
The following global properties are defined within the GLOBALS and ENDGLOBALS keywords :
• aggregation: The aggregation property is an alert aggregation flag that is used to either
enable or disable alert aggregation. The property value is specified using the syntax described
in ??? and is equivalent to the Schedule Manager Alert Aggregation option box described in
???. The property set to “1” is equivalent to the Alert Aggregation option box that is selected
in the GUI Schedule Manager. The property set to "0" is equivalent to the Alert Aggregation
option box that is not selected.
• rt_alerts: The rt_alerts property is an alert aggregation flag that is used to enable or
disable the generation of real time alerts when alert aggregation is enabled. The property
value is specified using the syntax described in ??? and is equivalent to the Schedule Manager
Real Time Alerts option box described in ???. The property set to “1” is equivalent to the Real
Time Alerts option box being checked. The property set to "0" is equivalent to the Real Time
Alerts option box not being checked.
• aggr_tuples: The aggr_tuples property is a set of alert aggregation tuples that can be
configured to aggregate alerts triggered by a process running a specified program with alerts
triggered by the process’ descendent processes. The property tuple values are specified using
the syntax described in “Type IX: Path Names / Integer Pairs” (page 110) and each tuple is
Surveillance Schedule Text File 189