Host Intrusion Detection System Administrator's Guide Release 3.1
Overview
HP-UX HIDS Components
Chapter 1
11
HP-UX HIDS Components
HP-UX HIDS consists of the following components.
• System Manager interface. The System Manager interface allows you to
configure, control, and monitor the HP-UX HIDS system. Any intrusions detected
are reported as alerts.
• Host-based agent. The agent gathers system data, monitors system activity, and
issues intrusion alerts.
• Detection templates. This template contains the most commonly encountered
system attack pattern. Therefore, once these patterns of activity are recognized as
matching with one of the HP-UX HIDS detection templates, HP-UX HIDS can detect
the intrusion.
• Data-gathering components. HP-UX HIDS comprises modules that gather and
format information from data sources at various points within the system. HIDS
uses these components to monitor all resources within the network.
• Correlation engine. HP-UX HIDS uses a correlation process that takes data from
system data sources and determines whether an alert must be issued.
• Secure network communications link. HP-UX HIDS uses an encrypted network
link as a means of stopping an attacker from observing the traffic between its
components and possibly sending false data to disrupt its operations.
• Response capability. Alerts are sent to the System Manager. In addition, the
alerts can be processed by response programs that you create and/or install.
See “Glossary of HP-UX HIDS Terms” on page 14 for more definitions.
Graphic Representation
Figure 1-1 shows a graphic representation of these components.
The HP-UX HIDS System Manager performs Security Management and develops
Surveillance Schedules. These schedules are sent to the HP-UX HIDS Agent where they
are run at specified times. The HIDS agent uses Kernel Audit Data and System Log Data
to run these schedules.
If an alert is generated, it is sent to the HP-UX HIDS System Manager. The System
Manager delivers this message as an Alert Notification.