Manualshelf

HP-UX Host Intrusion Detection System Release 4.1 Release Notes for HP-UX 11i v1 | HP-UX 11i v2 | HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
21222324252627282930
WARNING: Invalid hostname [rt-date] specified. Skipping....
ERROR: No valid agent hostnames entered.
After an idsadmin tune or report command is executed, and if idsadmin
had established a connection with an agent before the tune or report command
was invoked, idsadmin no longer has a connection to that agent. A status
command will restablish a connection to that agent.
The idsadmin Tool Cannot Monitor more than one Agent at a Time
The idsadmin tool does not monitor or display alerts in near real-time from multiple
agents at the same time. The idsadmin tool can only monitor and display alerts from
one agent at any given time. To view alerts for multiple agents at the same time, you
must use the GUI System Manager or use the idsadmin --report command to
generate a consolidated alert report across multiple agents.
Display of Schedules Created Using Earlier Versions of HIDS
The GUI System Manager does not display v4.0 or v3.x text schedules that were placed
in /etc/opt/ids/schedules unless these schedules are migrated to HIDS 4.1. For
more information on migrating schedules, see “Migrating Schedules from Older Versions
of HIDS” (page 31)
The Migrator Tool does not Update suppression_targets_to_ignore properly
When migrating schedules from 4.0, the migrator tool does not escape the . character
present in the pathname of the default files (for example, .rhosts) for which alerts
are not suppressed. After migration, you must manually insert the \ character if you
do not want to suppress the alerts for these files.
Limitation While Using the ids.cf File for Configuring Duplicate Alert Suppression
In the /etc/opt/ids/ids.cf file, non-commented lines in a [ENVIRONMENT] ...
[END] section cannot be preceded by commented lines. If you want to configure
duplicate alert suppression through the ids.cf file, you must place the SUPPRESSION
line before any commented lines as shown in the following example:
[ENVIRONMENT]
IDS_USER ids
ALLOW_DUMPS 1
#AGGREGATION 0 # 0(1) to turn alert aggregation off(on).
#SUPPRESSION 0 # 0(1) to turn duplicate alert suppression off(on).
#SUPPRESSION_REPORT 0 # 0(1) to turn reporting of suppressed alerts off(on).
# # these flags overrides flags in schedule file
[END]
To enable duplicate alert suppression, move it to the line before the first commented
line of the section and uncomment it as shown below:
[ENVIRONMENT]
IDS_USER ids
ALLOW_DUMPS 1
SUPPRESSION 0 # 0(1) to turn duplicate alert suppression off(on).
24 Announcement