Manualshelf

HP-UX Host Intrusion Detection System Release 4.1 Release Notes for HP-UX 11i v1 | HP-UX 11i v2 | HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
21222324252627282930
#AGGREGATION 0 # 0(1) to turn alert aggregation off(on).
#SUPPRESSION_REPORT 0 # 0(1) to turn reporting of suppressed alerts off(on).
# # these flags overrides flags in schedule file
[END]
Unexpected Behavior by idsagent when report, resync, or tune Command is Executed
If the /var/opt/ids/gui/logs/{agent}_alert.log file is corrupted, the report,
resync, or tune commands may behave unexpectedly.
The system DSP Fails to Properly Handle Corrupted w/btmp File
The system DSP ( idssysdsp ) fails to handle corrupted w/btmp files which may
result in unexpected behavior. To work around this problem, administrators can rotate
/var/adm/wtmp and /var/adm/btmp as follows:
Save the last few utmp entries into another file
Truncate /var/adm/[b|w]tmp to size 0. Do not write the previous entries that
were saved in the *.last file.
The next time, the b/wtmp files need to be rotated, replace [b|w]tmp.last with
the most recent last few [b|w]tmp entries.
SSH does not Perform a Clean Exit after idsagent is Started
After starting idsagent from an ssh login, logging out of the agent system results in
the ssh session hanging indefinitely. As a workaround, log in by entering:
ssh -l root <machine> /usr/dt/bin/dtterm
Then type in the /sbin/init.d/idsagent start commands interactively.
Agents and Kernel Parameters
The administration System Manager can monitor up to 23 agent systems unless you
make kernel parameter changes, as described in Chapter 2, “Configuring HP-UX HIDS,”
in the Host Intrusion Detection System Administrator’s Guide.
Dropped Kernel Audit Records
Depending on the system profile and product configuration, and under heavy loads,
HIDS can drop kernel audit records and therefore miss potential intrusions. The
IDDS_MODE configuration parameter for the kernel dsp in the ids.cf configuration
file only controls whether the kernel auditing subsystem (IDDS) either blocks or drops
audit records under heavy loads. Currently, the user space component of HP-UX HIDS
(idskerndsp), which collects audit data from IDDS, cannot be configured to either
block or drop audit records under heavy loads. Instead, the product displays a notice
in the Network Browser error panel that audit records are being dropped. The kernel
dsp parameters, DROP_NOTIFY_INTERVAL and LOW_WATERMARK, control the frequency
that reminder notices are sent and the point at which a notice is sent when audit records
Known Problems, Limitations, and Fixes 25