Host Intrusion Detection System Administrator's Guide Release 3.0

Overview

HP-UX HIDS Components

Chapter 1

HP-UX HIDS Components

HP-UX HIDS consists of the following components. See “Glossary of HP-UX HIDS

Terms” on page 13 for more deﬁnitions.

• Management interface. The System Manager allows the administrator to

conﬁgure, control, and monitor the HP-UX HIDS system. Any intrusions detected

are reported here as alerts.

• Host-based agent. The agent gathers system data, monitors system activity, and

issues intrusion alerts.

• Detection templates. Most attacks exhibit a limited number of common patterns

and similar steps. Therefore, once these patterns of activity are recognized as

matching one of the HP-UX HIDS detection templates, HP-UX HIDS can detect the

intrusion.

• Data-gathering components. HP-UX HIDS provides a way of observing what

people are doing on your systems and networks. This is accomplished through a set

of data gathering modules that gather and format information from data sources at

various points within the system.

• Correlation engine. HP-UX HIDS uses a correlation process that takes data from

system data sources and determines whether an alert should be issued.

• Secure network communications link. HP-UX HIDS uses an encrypted network

link as a means of stopping an attacker from observing the trafﬁc between its

components and possibly sending false data to disrupt its operations.

• Response capability. Alerts are sent to the System Manager. In addition, the

alerts can be processed by response programs that you create and/or install.

Graphic Representation

Figure 1-1 shows a graphic representation of these components.

The HP-UX HIDS System Manager performs Security Management and develops

Surveillance Schedules that are sent to the HP-UX HIDS Agent where they are run at

speciﬁed times, using Kernel Audit Data and System Log Data.

If an alert is generated, it is sent to the HP-UX HIDS System Manager, which posts it as

an Alert Notiﬁcation.