HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

NOTE: The IDS_genAdminKeys and IDS_genAgentCerts commands include

options to provide alternate key lengths and alternate expiration dates for the

administration and agent certificates. For more information, see

IDS_genAdminKeys(1M) and IDS_genAgentCerts(1M). The default key length is

1024 bits. The default expiration is 700 days.

TIP: You can automate agent certificate creation by creating a file of host names

and IP addresses, one host name or IP address per line. Each entry must refer to

a single IP address on an agent system. For more information, see “Configuring a

Multihomed Agent System” (page 42).

If your file name is list_of_hosts, then the command is as follows:

$ cat list_of_hosts | IDS_genAgentCerts

2. Transporting the certificates

Transfer the agent certificate bundles through a secure channel to the agent systems.

To securely transport the certificate bundles stored in

/var/opt/ids/tmp/hostname.tar.Z to each of the agent machines, use an

out-of-band secure channel. There are different ways to move your files from one

system to another securely. For example, you can use encrypted PGP email, a

portable medium such as a floppy disk or tape cassette that you carry from one

system to another, an NFS mount, or an FTP site. However, because every

environment is different, you must determine which method is best for your

particular situation.

CAUTION: FTP, RCP, and unencrypted email are not secure methods of

transportation; the contents of files can be exposed to eavesdroppers, which

threatens the security of the communication system.

Private key files are protected by granting read and write file permissions for user

ids only.

40 Configuring HP-UX HIDS