HPE Community
Operating System - HP-UX
1834389 Members
2048 Online
110066 Solutions
New Discussion

Re: IDS9000 - idsagent: an error occurred parsing the schedule

 
ejac
New Member

‎04-08-2008 01:34 AM

‎04-08-2008 01:34 AM

IDS9000 - idsagent: an error occurred parsing the schedule

Hi all,
I am having problems with activating Survellance schedule in IDS9000. After renewing certificates i know get a parsing error. I have tried to do the renewing process again but without success. I have also searched the se forums but nothing have helped. I have checked with swlist -l fileset -a state to see if IDS is installed properly. Appreciate any help. Thanks

Error messages:
- idsagent: an error occurred parsing the
schedule
- idsagent: Surveillance Schedule does not contain any surveillance group periods
- syntax error on line 10 of schedule file /var/opt/ids/: error:syntax error

My schedule file contains as follows:

SCHEDULE Edi
GROUPPERIOD
NAME Edi
PRIORITY 0
SPECIFIEDTIME no
GMT 0
STARTTIME 0:00:0
ENDTIME 23:59:6
GROUP Edi
ENDGROUP
ENDGROUPPERIOD
ENDSCHEDULE
endOnly_files
ADD DATA ("appendonlyFiles", ["/var/adm/btmp", "/var/adm/wtmp", "/etc/btmp", "/etc/wtmp", "/var/adm/messages", "/var/adm/syslog/mail.log", "/var/adm/syslog/syslog.log", "/var/adm
/pacct", "/var/adm/sulog"])
ENDTEMPLATE
TEMPLATE megaReadOnly
ADD DATA ("read_only_files_to_watch", ["/stand/vmunix", "/stand/kernrel", "/stand/bootconf", "/etc/passwd", "/etc/group", "/.rhosts", "/.shosts", "/etc/hosts.equiv", "/etc/hosts.
allow", "/etc/hosts.deny", "/etc/inetd.conf"])
ADD DATA ("read_only_files_to_not_watch", ["/etc/ptmp", "/etc/.pwd.lock", "/etc/utmp", "/etc/utmpx", "/etc/rc.log", "/etc/lvmconf/lvm_lock"])
ADD DATA ("read_only_dirs_to_watch", ["/etc", "/bin", "/sbin", "/stand", "/lib", "/usr/bin", "/opt"])
ADD DATA ("read_only_dirs_to_not_watch", [" "])
ENDTEMPLATE
TEMPLATE suid
ADD DATA ("criticalUIDs", [0, 1, 2, 3, 4, 5, 9, 11])
ENDTEMPLATE
TEMPLATE modify_non_owned_files
ADD DATA ("modify_files_to_not_watch", ["/dev/null", "/etc/rc.log", "/etc/lvmconf/lvm_lock", "/dev/diag"])
ADD DATA ("modify_dirs_to_not_watch", ["/var/opt/OV/tmp/OpC"])
ADD DATA ("modify_UIDs_to_ignore", [-314159])
ENDTEMPLATE
TEMPLATE bufferOverflow
ADD DATA ("bufferOverflow_UIDList", [0, 1, 2, 3, 4, 5, 9, 11])
ENDTEMPLATE
ENDGROUP
ENDGROUPPERIOD
ENDSCHEDULE
not_watch", ["/dev/diag", "/var/spool/sockets/pwgr", "/dev/pts", "/tcb/files/auth", "/tmp/files", "/var/spool/cron/tmp", "/prog/cdftp/product/cd3500/work/st.sthk.unx.edib"])
ADD DATA ("modify_UIDs_to_ignore", [-314159])
ADD DATA ("modify_files_one", ["/var/adm/wtmp$", "/dev/tty$"])
ADD DATA ("modify_prog_one", ["/usr/lbin/rlogind", "/usr/bin/login"])
ADD DATA ("modify_files_two", ["/prog/signatur/local/profile/Statoil_<*>", "/prog/signatur/product/ediseq/etc/<*>"])
ADD DATA ("modify_prog_two", ["/prog/signatur/product/filedrive/bin/fdx", "/prog/signatur/product/entcmd-6_0/bin/entcmd", "/prog/signatur/product/ediseq/bin/cryptcli"])
ADD DATA ("modify_files_three", ["/var/spool/mqueue/<*>", "/var/tmp/sh<*>", "/prog/cdftp/product/cd3500/work/st.sthk.unx.edib/<*>", "/etc/lvmconf/lvm_lock", "/var/opt/ignite/loca
l/manifest/manifest.info", "/dev/pts/<*>"])
ADD DATA ("modify_prog_three", ["/usr/sbin/sendmail", "/prog/amtrix/packages/bin/whupstate.sh", "/prog/cdftp/product/cd3500/ndm/bin/ndmsmgr", "/prog/cdftp/product/cd3500/ndm/bin/
ndmcmgr", "/prog/cdftp/product/cd3500/ndm/bin/cdstatm", "/usr/sbin/vgdisplay", "/opt/ignite/binpa/print_manifest", "/opt/ssh2/sbin/sshd2"])
ENDTEMPLATE
TEMPLATE suid
ADD DATA ("criticalUIDs", [0, 1, 2, 3, 4, 5, 9, 11])
ENDTEMPLATE
TEMPLATE worldWritable
ADD DATA ("worldWritable_criticalUIDs", [0, 1, 2, 3, 4, 5, 9, 11])
ADD DATA ("worldWritable_excludeFiles", ["/.dt.down", "/dev/pts/2", "/dev/pts/0"])
ADD DATA ("worldWritable_excludeDirs", ["/var/opt/scr/tmp", "/var/tmp"])
ENDTEMPLATE
TEMPLATE megaReadOnly
ADD DATA ("read_only_files_to_watch", ["/stand/vmunix", "/stand/kernrel", "/stand/bootconf", "/etc/passwd", "/etc/group", "/.rhosts", "/.shosts", "/etc/inetd.conf"])
0 Kudos
Reply
3 REPLIES 3
ejac
New Member

‎04-08-2008 02:13 AM

‎04-08-2008 02:13 AM

Re: IDS9000 - idsagent: an error occurred parsing the schedule

Additional error messages:
Unable to open data store file for login_logout

Unable to open fact store file for login_logout

0 Kudos
Reply
varap
Occasional Advisor

‎04-08-2008 09:46 PM

‎04-08-2008 09:46 PM

Re: IDS9000 - idsagent: an error occurred parsing the schedule

Hi Ejac,

It seems you are using HIDS v2.2 or even older version which is a very old one and not a supported version by HP anymore. We have HIDS v4.1 currently available to customers with lots of improvements compared to HIDS v2.2 which I am listing below.

- Huge performance improvement ( at least 2 times faster in processing )and less CPU consumption
- Huge alert volume reduction ( at least 5 times lesser compared to v2.2 ) with the help of alert aggregation and duplicate alert suppression features.
- Auto configuration tool which helps customers configure HIDS easily.
- Reporting features to generate alert reports based on uid, severity, date, etc..
- Many critical defect fixes

I suggest you to consider moving to HIDS v4.1 as it would provide you the benifits mentioned above over HIDS v2.2.


You can download HIDS v4.2 from the following link :

http://software.hp.com

please search for "ids" here.

We may be able to provide any help you may require in installing and configuring HIDS v4.1.

Best Regards,
Vara



0 Kudos
Reply
varap
Occasional Advisor

‎04-08-2008 09:49 PM

‎04-08-2008 09:49 PM

Re: IDS9000 - idsagent: an error occurred parsing the schedule

You can download HIDS v4.2 from the following link :

Please read the above sentence as

"You can download HIDS v4.1 from the following link :"

Vara
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.