Manualshelf

Host Intrusion Detection System Release 3.0 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
11121314151617181920
Announcement
Known Problems, Limitations, and Fixes
Chapter 1
8
Known Problems, Limitations, and Fixes
For a current and complete list of HP-UX HIDS problems and their fixes, see the
Technical Knowledge Database on the HP IT Resource Center websites:
http://us-support.external.hp.com for Americas/Asia-Pacific customers
http://europe-support.external.hp.com for European customers
The Technical Knowledge Database is available to customers with support contracts.
Clarifications
Update Preferred Over Cold Reinstall
HP-UX HIDS is designed to support updates. If you cold reinstall the newer version by
first removing the older version (swremove), you will incur two reboots (instead of just
one or possibly none) and the probable loss of some of your configuration data.
Do Not Change Permissions
Do not change the permissions on files and directories owned by ids. Opening up the
permissions to be world writable/readable will cause the agent to fail security checks and
exit. Changing file permissions will also result in swverify errors.
HUP After Log File Rotation
When you rotate the error or alert log files on an agent, you must send a HUP signal to
the idsagent process so it can reset its file descriptors and begin writing to the new logs.
Known Problems
Problem: Java Virtual Machine Runs Out of Memory for the System Manager
GUI
When the System Manager GUI has alerts in the range of tens of thousands, it might die
or hang as the Java Virtual Machine (JVM) eventually runs out of memory. You can
increase the maximum heap size of JVM by adding a -Xmx<size> option after the line
"$JAVA_RUN \" in idsgui. For example:
-Xmx256m \
This increases the maximum heap size to 256MB.
Problem: The Buffer Overflow Template cannot Filter Certain Alerts
The Buffer Overflow template does not correctly report the full pathname of the program
that attempted to execute on its stack as part of a stack buffer overflow attack. As a
result, the programs_to_not_watch template property cannot be used to filter out those
alerts for buffer overflow attacks detected by the kernel. All other types of buffer
overflow alerts (i.e., unusually long argument or use of non-printable character(s)) can
be filtered using the programs_to_not_watch template property.