HP-UX 11i Version 2 March 2006 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Foundation OE LTU

131

132

133

134

135

136

137

138

139

140

Security

HP-UX Host Intrusion Detection System

Chapter 8

136

HP-UX Host Intrusion Detection System

HP-UX Host Intrusion Detection System (HIDS) Release 4.0 is a host-based security

product for HP computers running HP-UX 11i. HP-UX HIDS Release 4.0 enables

security administrators to proactively monitor, detect, and respond to attacks targeted at

specific hosts. There are many types of attacks that can bypass network-based detection

systems. HP-UX HIDS Release 4.0 complements existing network-based security

mechanisms and enhances enterprise security.

Summary of Change

HP-UX HIDS version 4.0 supports the following new features and enhancements:

• Reducing alert volume by aggregation - HIDS supports a new feature called alert

aggregation that can significantly reduce the alert volume for a monitored system.

When enabled, alerts that are generated by a process or a group of related processes

are aggregated until the processes terminate or a certain amount of time elapses.

• Reducing alert volume by monitoring only critical files - The template property

values of the file-related preconfigured groups and templates have been modified to

monitor only the core critical files to reduce the alert volume. For example, only

certain files in the /etc directory (such as /etc/passwd and /etc/shadow) are

monitored instead of the entire directory.

• Configuring critical users - In earlier releases, the system templates (login/logout

and su) hard-coded root and ids as being critical for determining alerts with high

severity. Since applications like HP-UX Role-Based Access Control

support the

assignment of root privileges to several users, HIDS must support configuration of

critical users. The system templates support new template properties to specify the

critical user names.

• Support to specify user names and user IDs - The template properties that specify

user IDs (for example, priv_uid_list) in previous releases now support the

specification of both user IDs and user names.

• Measuring the event rate - A new idscor option (-t) is supported to measure the

rate of events generated by a system and monitored by HIDS. If you know the event

rate, you can refer to the HIDS Tuning and Sizing primer (available at

http://docs.hp.com/en/internet.html#Host%20Intrusion%20Detection%20Sy

stem) to determine the impact of HIDS on memory and CPU consumption.

Impact

There are no impacts other than those listed previously.

Compatibility

HP-UX HIDS Release 4.0 is backward compatible with Release 3.1 and Release 3.0. It is

not backward compatible with Release 1.0, Release 2.0, Release 2.1, and Release 2.2.

1. HP-UX Role-Based Access Control is available on the Software Pack (SPK) media

for HP-UX 11i v2 December 2005.