Limitations

This section describes the general limitations of the templates. Template specific limitations are discussed in the respective template sections.

Following are some general limitations:

No file monitoring templates can filter alerts based on whether a file is local or remote (NFS).
File monitoring templates, by design, do not detect whether the contents of a file were modified.
File-related templates can generate alerts with file relative path names, instead of file full path names. Specifying relative path names in template properties to filter these alerts is not safe, because a relative path name can correspond to more than one file.
A template that has the pathnames_to_watch property does not monitor changes to a file from a hard link, unless the full path name of the hard link is specified in the property. However, the creation of hard links to files are monitored. Similarly, for the pathnames_to_not_watch property, modifications to a file from a hard link are not ignored unless the full path name of the hard link is specified in the property.
File monitoring templates do not monitor changes to files through symbolic links. Hence, you must not specify full path names of symbolic links in the pathnames_to_watch and pathnames_to_not_watch properties, unless the modification of the symbolic link itself must be monitored.
Alerts that specify an unknown program occur when the following three conditions are met:
- The program is started before the HIDS surveillance schedule is started.
- The process terminates immediately after it performs an action that causes an alert.
- HIDS generates the alert after the process terminates.
Alerts that specify an unknown program occur when the following two conditions are met:
- The IDDS_MODE_NONBLOCK flag is set in IDDS_MODE in the ids.cf configuration file (that is, IDDS_MODE is set to 3, the default value).
- IDDS is dropping audit records because of a heavy system load.

Limitations

Technical documentation

» Table of Contents

» Index