Manualshelf

HP-UX Host Intrusion Detection System Release 4.0 Release Notes for HP-UX 11i v1 | HP-UX 11i v2 | HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
11121314151617181920
Release 4.0 Highlights
HP-UX HIDS Release 4.0 contains the following new features, changes and
enhancements:
HP-UX HIDS supports a new feature called alert aggregation that can significantly
reduce the alert volume for a monitored system. When enabled, alerts that are
generated by a process or a group of related processes are aggregated until the
processes terminate, or a certain amount of time elapses. Using this feature, the
number of alerts can be reduced by up to 3 orders of magnitude. See the section
“Configuring Alert Aggregation” in Chapter 5 Schedule Manager Screen of the
Host Intrusion Detection System Administrators Guide for more information.
The template property values of the file related preconfigured groups and templates
have been modified to monitor only the core critical files to reduce the alert volume.
For example, only certain files in the /etc directory (such as /etc/passwd,
/etc/shadow) are monitored instead of monitoring the entire directory.
In earlier releases, the system templates (login/logout and su) hard coded root
and ids as being critical for determining alerts with high severity. Since
applications like SAFeR (Security compartment and Fine-grained pRrivileges)
support the assignment of root privileges to several users, HIDS must support
configuration of critical users. The system templates support new template
properties to specify the critical user names. For more information about these
properties see HP-UX Host Intrusion Detection System Version 4.0 Administrator's
Guide (5991-6776) available on www.docs.hp.com
The template properties that specify user IDs (for example, priv_uid_list) in
prior releases now support the specification of both user IDs and user names.
The HP-UX HIDS agent can be configured to measure the rate of events generated
by a system and monitored by HP-UX HIDS. Knowing the event rate, one can refer
to the HP-UX HIDS Tuning and Sizing Primer (available on www.docs.hp.com) to
determine the impact of HP-UX HIDS on memory and CPU consumption. See
Appendix E “The Agent Configuration File” in HP-UX Host Intrusion Detection
System Version 4.0 Administrator's Guide (5991-6776) for details.
NOTE: The idssysdsp program has been made a non-setuid bit program from
HP-UX 11i v3 onwards.
Known Problems, Limitations, and Fixes
For a current and complete list of HP-UX HIDS problems and their fixes, refer to the
Technical Knowledge Database on the HP IT Resource Center Websites:
http://us-support.external.hp.com for Americas/Asia-Pacific customers
http://europe-support.external.hp.com for European customers
The Technical Knowledge Database is available to customers with support contracts.
14 Announcement