The AbnormalRootLoginEvent Detector checks to see if there is any root login from a host that is not specified in the $NETMON/config/roothosts files (list of hosts that a root login is permitted from).
The AgentAliveEvent Detector periodically checks to see if detectors in an agent have died by
checking that the number of threads in an agent never decreases.
The CPUMonitorEvent Detector generates a list of all currently running processes and respective
statistics on a monitored host, using the UNIX `ps' command.
This detector keeps a record of all processes seen on the system, and compares against this record
any process events (network.events.ProcessMonitoringEvent) that occur.
If the triggeringEvent matches the default triggering event (NewRootProcessEvent),
we check and see if the output from the 'who -q' command contains a root entry.
Checks to see if an OutsideDomainLoginEvent coincides with a user already being logged in locally
Accomplishes this by querying the LoginEvent table in the database and checking if the last record is an xdmOn event.
Detects if a login is from a local host or from an outside domain
This is accomplished by comparing the host from which a user is loggin in and comparing it to a list of known local hosts.
Detects if a partition is full based on messages from the syslog file
tokens - matched tokens as given in pattern
The method is synchronized because, when we invoke
modifyDetector method, some of the variables would be null.
Detects if a process has exceeded any threshold values for running time, CPU usage, or lwp count
This is accomplished by checking if the process contained in the triggeredEvent has exceeded the thresholds.
tokens - matched tokens as given in pattern
The method is synchronized because, when we invoke
modifyDetector method, some of the variables would be null.
The IllegitimateRootPresenceEvent Detector is notified of NewRootProcessEvents,
and then checks to see if the root user appears in the output of the 'who -q'
command.
Creates a MarkFailEventDetector with the default mark time specified in AdminClient
The mark time is the amount of time the detector will wait for a mark event before creating a MarkFailEvent
Checks for processes running as 'root'
If found, new event will be generated, and the event handler will take appropriate action, eg: launching further agents to monitor critical resources.
Parses the output from the command in this class' generateEvent method and returns a vector
of Object arrays that represents the elements of the string separated.
This function parses the output from the command in this class' generateEvent method and returns a vector of Object arrays that represents the elements of the string seperated.
takes in the string date from the ps command and returns the millis this method expects commands in the following format
28-19:56:08 or 19:56:08 or 56:08