HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

done over a period of time, aggregated alerts by definition are issued after a delay, unlike

real time alerts that are issued as soon as they are generated.

Alert An alert is also referred to as a notification. A message sent by HP-UX HIDS warning

of a suspected or actual intrusion, and usually calling for some sort of action in response.

Typically, the alert is sent to a display window on the management component and

logged as an entry to a log file.

Alert

Aggregation

Tuple

A schedule property used to aggregate any alert triggered by a process running a

particular program and any alert triggered by the process’ descendent processes (that

is, child process, grandchild process, and so on).

Audit data Audit data is also referred to as a kernel audit data. The most detailed level of system

data used by HP-UX HIDS. As each system call is executed, its parameters and outcome

are recorded in a log file. HP-UX HIDS uses these records to detect intrusion.

Console See Administration System and System Manager.

Correlator A core component of HP-UX HIDS that interprets and categorizes data sources, correlates

information to known detection templates, and sends notification of any suspected

intrusions to the HP-UX HIDS System Manager.

CSS Cascading Style Sheets (CSS) is a standard stylesheet language used to describe the

presentation of a document written in a markup language such as HTML.

Data source System data monitored by HP-UX HIDS to detect intrusions. Examples of data sources

are the wtmp[s]/btmp[s] and su log files for monitoring logins, logouts, and su

attempts, as well as kernel audit records produced by the kernel audit subsystem (IDDS)

for monitoring for file system modifications and for signs of other intrusions or misuse.

Data Source

Process (DSP)

A component of the HP-UX HIDS agent that reads the data sources and presents the

information for alert calculation.

Detection

template

Basic building block or pattern to be used to combat security attacks on systems.

Duplicate

alert

An alert whose attacker (uid), target, type of attack (action), and program name attributes

are same as one of the alerts already reported by HIDS, within the specified Suppression

Count and Suppression Interval values.

Duplicate

Alert

Suppression

(DAS)

A feature that suppresses duplicate alerts from being generated and reported to the

HIDS administrator console. This feature is applicable only for kernel related templates

except for the race condition and buffer overflow templates.

HTML HyperText Markup Language (HTML) is a markup language for creating web pages.

Intrusion An intrusion is also referred to as an attack. A violation of system security policy by an

unauthorized outsider. An intrusion can include intruding in to an unauthorized network

area, accessing certain systems within the network, accessing certain files, or running

certain programs.

Intrusion

Detection

Data Source

(IDDS)

The HP-UX kernel-based audit system used by HPUX HIDS to monitor the host system

for potential intrusion activities.

Intrusion

Detection

System (IDS)

An automated system that detects a security violation on a system or a network.

Glossary of HP-UX HIDS Terms 31