Manualshelf

Host Intrusion Detection System Release 3.0 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
11121314151617181920
Announcement
Known Problems, Limitations, and Fixes
Chapter 1
9
Problem: The Creation of Setuid File template creates an alert with the wrong
severity level
When an empty setuid file is created using the mknod() system call, the setuid template
incorrectly reports an alert with severity 3 instead of severity 1.
Problem: The default value of the fail_interval template property is incorrect
The default value of the fail_interval template property for the Repeated Failed Su
Commands template is incorrectly set to 1440 (seconds) in the predefined Surveillance
Groups. The default value should be 86400 seconds (= 24 hours) instead.
Problem: SSH does not perform a clean exit after idsagent is started
After starting idsagent from a ssh login, logging out of the agent system results in the
ssh session hanging indefinitely. As a workaround, login by entering:
ssh -l root <machine> /usr/dt/bin/dtterm ; then type in the
"/sbin/init.d/idsagent start" commands interactively.
Limitations
Limitation: Predefined Schedules and Groups Are Not Clearly Marked
The predefined (read-only) surveillance schedules and groups are not well distinguished
in the System Manager screens. You are allowed to modify them for the purpose of
creating a new schedule, but you cannot save the modified schedule or group over the
original predefined schedule or group. The program does not notify you that a predefined
group was not saved when you press the Save button in the Schedule Manager screen.
Limitation: Agents and Kernel Parameters
The administration System Manager can monitor up to 23 agent systems unless you
make kernel parameter changes, as described in Chapter 2, “Configuration,” of the
HP-UX Host Intrusion Detection System Administrator’s Guide.
Limitation: Dropped Kernel Audit Records
Depending on the system profile and product configuration, and under heavy loads,
HP-UX HIDS can drop kernel audit records and therefore miss potential intrusions. The
IDDS_MODE configuration parameter for the kernel dsp in the ids.cf configuration file
only controls whether the kernel auditing subsystem (IDDS) either blocks or drops audit
records under heavy loads. Currently, the user space component of HP-UX HIDS
(idskerndsp), which collects audit data from IDDS, cannot be configured to either block
or drop audit records under heavy loads. Instead, the product displays a notice in the
Network Browser error panel that audit records are being dropped. The kernel dsp
parameters, DROP_NOTIFY_INTERVAL and LOW_WATERMARK, control (1) the frequency that
reminder notices are sent and (2) the point at which a notice is sent that audit records
are no longer being dropped, respectively. See Appendix D, “The Agent Configuration
File,” in the HP-UX Host Intrusion Detection System Administrator’s Guide for more
details.
Limitation: The adminSchedConvert Migration Tool
The text-based migration tool /opt/ids/bin/adminSchedConvert fails to migrate 2.x
schedules that contain properties with the following: