IDS9000 - idsagent: an error occurred parsing the schedule

ejac — Tue, 08 Apr 2008 08:34:07 GMT

Hi all,
I am having problems with activating Survellance schedule in IDS9000. After renewing certificates i know get a parsing error. I have tried to do the renewing process again but without success. I have also searched the se forums but nothing have helped. I have checked with swlist -l fileset -a state to see if IDS is installed properly. Appreciate any help. Thanks

Error messages:
- idsagent: an error occurred parsing the
schedule
- idsagent: Surveillance Schedule does not contain any surveillance group periods
- syntax error on line 10 of schedule file /var/opt/ids/: error:syntax error

My schedule file contains as follows:

SCHEDULE Edi
GROUPPERIOD
NAME Edi
PRIORITY 0
SPECIFIEDTIME no
GMT 0
STARTTIME 0:00:0
ENDTIME 23:59:6
GROUP Edi
ENDGROUP
ENDGROUPPERIOD
ENDSCHEDULE
endOnly_files
ADD DATA ("appendonlyFiles", ["/var/adm/btmp", "/var/adm/wtmp", "/etc/btmp", "/etc/wtmp", "/var/adm/messages", "/var/adm/syslog/mail.log", "/var/adm/syslog/syslog.log", "/var/adm
/pacct", "/var/adm/sulog"])
ENDTEMPLATE
TEMPLATE megaReadOnly
ADD DATA ("read_only_files_to_watch", ["/stand/vmunix", "/stand/kernrel", "/stand/bootconf", "/etc/passwd", "/etc/group", "/.rhosts", "/.shosts", "/etc/hosts.equiv", "/etc/hosts.
allow", "/etc/hosts.deny", "/etc/inetd.conf"])
ADD DATA ("read_only_files_to_not_watch", ["/etc/ptmp", "/etc/.pwd.lock", "/etc/utmp", "/etc/utmpx", "/etc/rc.log", "/etc/lvmconf/lvm_lock"])
ADD DATA ("read_only_dirs_to_watch", ["/etc", "/bin", "/sbin", "/stand", "/lib", "/usr/bin", "/opt"])
ADD DATA ("read_only_dirs_to_not_watch", [" "])
ENDTEMPLATE
TEMPLATE suid
ADD DATA ("criticalUIDs", [0, 1, 2, 3, 4, 5, 9, 11])
ENDTEMPLATE
TEMPLATE modify_non_owned_files
ADD DATA ("modify_files_to_not_watch", ["/dev/null", "/etc/rc.log", "/etc/lvmconf/lvm_lock", "/dev/diag"])
ADD DATA ("modify_dirs_to_not_watch", ["/var/opt/OV/tmp/OpC"])
ADD DATA ("modify_UIDs_to_ignore", [-314159])
ENDTEMPLATE
TEMPLATE bufferOverflow
ADD DATA ("bufferOverflow_UIDList", [0, 1, 2, 3, 4, 5, 9, 11])
ENDTEMPLATE
ENDGROUP
ENDGROUPPERIOD
ENDSCHEDULE
not_watch", ["/dev/diag", "/var/spool/sockets/pwgr", "/dev/pts", "/tcb/files/auth", "/tmp/files", "/var/spool/cron/tmp", "/prog/cdftp/product/cd3500/work/st.sthk.unx.edib"])
ADD DATA ("modify_UIDs_to_ignore", [-314159])
ADD DATA ("modify_files_one", ["/var/adm/wtmp$", "/dev/tty$"])
ADD DATA ("modify_prog_one", ["/usr/lbin/rlogind", "/usr/bin/login"])
ADD DATA ("modify_files_two", ["/prog/signatur/local/profile/Statoil_<*>", "/prog/signatur/product/ediseq/etc/<*>"])
ADD DATA ("modify_prog_two", ["/prog/signatur/product/filedrive/bin/fdx", "/prog/signatur/product/entcmd-6_0/bin/entcmd", "/prog/signatur/product/ediseq/bin/cryptcli"])
ADD DATA ("modify_files_three", ["/var/spool/mqueue/<*>", "/var/tmp/sh<*>", "/prog/cdftp/product/cd3500/work/st.sthk.unx.edib/<*>", "/etc/lvmconf/lvm_lock", "/var/opt/ignite/loca
l/manifest/manifest.info", "/dev/pts/<*>"])
ADD DATA ("modify_prog_three", ["/usr/sbin/sendmail", "/prog/amtrix/packages/bin/whupstate.sh", "/prog/cdftp/product/cd3500/ndm/bin/ndmsmgr", "/prog/cdftp/product/cd3500/ndm/bin/
ndmcmgr", "/prog/cdftp/product/cd3500/ndm/bin/cdstatm", "/usr/sbin/vgdisplay", "/opt/ignite/binpa/print_manifest", "/opt/ssh2/sbin/sshd2"])
ENDTEMPLATE
TEMPLATE suid
ADD DATA ("criticalUIDs", [0, 1, 2, 3, 4, 5, 9, 11])
ENDTEMPLATE
TEMPLATE worldWritable
ADD DATA ("worldWritable_criticalUIDs", [0, 1, 2, 3, 4, 5, 9, 11])
ADD DATA ("worldWritable_excludeFiles", ["/.dt.down", "/dev/pts/2", "/dev/pts/0"])
ADD DATA ("worldWritable_excludeDirs", ["/var/opt/scr/tmp", "/var/tmp"])
ENDTEMPLATE
TEMPLATE megaReadOnly
ADD DATA ("read_only_files_to_watch", ["/stand/vmunix", "/stand/kernrel", "/stand/bootconf", "/etc/passwd", "/etc/group", "/.rhosts", "/.shosts", "/etc/inetd.conf"])

Re: IDS9000 - idsagent: an error occurred parsing the schedule

ejac — Tue, 08 Apr 2008 09:13:57 GMT

Additional error messages:
Unable to open data store file for login_logout

Unable to open fact store file for login_logout

Re: IDS9000 - idsagent: an error occurred parsing the schedule

varap — Wed, 09 Apr 2008 04:46:28 GMT

Hi Ejac,

It seems you are using HIDS v2.2 or even older version which is a very old one and not a supported version by HP anymore. We have HIDS v4.1 currently available to customers with lots of improvements compared to HIDS v2.2 which I am listing below.

- Huge performance improvement ( at least 2 times faster in processing )and less CPU consumption
- Huge alert volume reduction ( at least 5 times lesser compared to v2.2 ) with the help of alert aggregation and duplicate alert suppression features.
- Auto configuration tool which helps customers configure HIDS easily.
- Reporting features to generate alert reports based on uid, severity, date, etc..
- Many critical defect fixes

I suggest you to consider moving to HIDS v4.1 as it would provide you the benifits mentioned above over HIDS v2.2.

You can download HIDS v4.2 from the following link :

http://software.hp.com

please search for "ids" here.

We may be able to provide any help you may require in installing and configuring HIDS v4.1.

Best Regards,
Vara

Re: IDS9000 - idsagent: an error occurred parsing the schedule

varap — Wed, 09 Apr 2008 04:49:14 GMT

You can download HIDS v4.2 from the following link :

Please read the above sentence as

"You can download HIDS v4.1 from the following link :"

Vara

topic IDS9000 - idsagent: an error occurred parsing the schedule in Operating System - HP-UX

IDS9000 - idsagent: an error occurred parsing the schedule

Re: IDS9000 - idsagent: an error occurred parsing the schedule

Re: IDS9000 - idsagent: an error occurred parsing the schedule

Re: IDS9000 - idsagent: an error occurred parsing the schedule