NOTE

Templates and Alerts

Template Property Types

Template Property Types

A template property has one of the following types:

Type I: Pathnames to [Not] Monitor

Type II: Pathnames/Programs Pairs

Type III: UIDs

Type IV: UID Pairs

Type V: Network Triplets

Type VI: Time Strings

Type VII: Flags

Type VIII: Scalars

See “Template Configuration Syntax” on page 178 for a description of the syntax used to specify values of the various template types.

Type I: Pathnames to [Not] Monitor

The template properties pathnames_to_watch and pathnames_to_not_watch are of this type. This type is a list of n (with n>0) regular expressions that are separated by the pipe () character. A file or directory is [not] monitored if its full pathname matches a regular expession in the pathnames_to_[not]_watch template property. If a file’s or directory’s pathname matches a regular expression in both the pathnames_to_watch and pathnames_to_not_watch property, then the file or directory is not monitored.

The following line in the template configuration file defines a property called pathnames_to_not_watch such that files /var/log/cron and /etc/passwd will not be monitored for alerts:

pathnames_to_not_watch ^/var/log/cron$ ^/etc/passwd$

When entering the template property value in the Schedule Manager Window, only the template property value ^/var/log/cron$ ^/etc/passwd$ should be entered (i.e., do not enter the property name and the first pipe character).

Note the use of the regular expression anchor characters ^ and $ to denote an exact file pathname.

The following line defines a property named pathnames_to_watch that specifies that all files or directories with pathnames that contain the /var/t substring or start with the /opt string are monitored:

pathnames_to_watch /var/t.* ^/opt

See “UNIX Regular Expressions” on page 126 for a discusson and examples of regular expressions.

Appendix A

129

Page 141
Image 141
HP Host Intrusion Detection System (HIDS) manual Template Property Types, Type I Pathnames to Not Monitor