HP-UX Host Intrusion Detection System Release 4.0 Release Notes for HP-UX 11i v1 | HP-UX 11i v2
Announcement
New and Changed Features
Chapter 116
New and Changed Features
HP-UX HIDS Release 4.0 runs on HP-UX 11i v1 and 11i v2. It is
available in the Application Releases, and from the HP Software Depot.
In this document, “11i” unqualified encompasses all the supported 11i
versions.
Release 4.0 Highlights
HP-UX HIDS Release 4.0 contains the following new features, changes
and enhancements:
• HP-UX HIDS supports a new feature called alert aggregation that
can significantly reduce the alert volume for a monitored system.
When enabled, alerts that are generated by a process or a group of
related processes are aggregated until the processes terminate, or a
certain amount of time elapses. Using this feature, the number of
alerts can be reduced by up to 3 orders of magnitude. See the section
“Configuring Alert Aggregation” in Chapter 5 Schedule Manager
Screen of the Host Intrusion Detection System Administrator’s
Guide for details.
• The template property values of the file related preconfigured groups
and templates have been modified to monitor only the core critical
files to reduce the alert volume. For example, only certain files in the
/etc directory (such as /etc/passwd, /etc/shadow) are monitored
instead of monitoring the entire directory.
• In earlier releases, the system templates (login/logout and su) hard
coded root and ids as being critical for determining alerts with high
severity. Since applications like SAFer support the assignment of
root privileges to several users, HIDS must support configuration of
critical users. The system templates support new template
properties to specify the critical user names. For more information
about these properties refer to the Host Intrusion Detection System
Administrator’s Guide.
• The template properties that specify user IDs (for example,
priv_uid_list) in prior releases now support the specification of both
user IDs and user names.