Manualshelf

HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
21222324252627282930
HP-UX HIDS Components
HP-UX HIDS includes the following components:
System Manager The System Manager is a GUI that enables you to configure, control, and
monitor the HP-UX HIDS system. Any intrusions detected are reported as alerts.
Host-based agent The host-based agent gathers system data, monitors system activity, and
issues intrusion alerts.
Detection templates Detection templates contain the most commonly encountered system
attack patterns. Therefore, once these patterns of activity are recognized as matching with
one of the HP-UX HIDS detection templates, HP-UX HIDS can detect the intrusion.
Data-gathering components HP-UX HIDS comprises modules that gather and format
information from data sources at various points within the system. Kernel audit data and
system log data are the data sources. HP-UX HIDS uses these components to monitor all
resources within the network.
Correlation engine HP-UX HIDS uses a correlation process that takes data from system
data sources and determines whether an alert must be issued.
Secure network communications link HP-UX HIDS uses an encrypted network link as a
means of stopping an attacker from observing the traffic between its components, and
possibly sending false data to disrupt its operations.
Response capability Alerts are sent to the System Manager. In addition, alerts can be
processed by response programs that you create or install.
For more definitions, see “Glossary of HP-UX HIDS Terms” (page 26).
Figure 1-1 shows a graphic representation of these components.
The HP-UX HIDS System Manager performs security management and develops surveillance
schedules. These schedules are sent to the HP-UX HIDS Agent where they are run at specified
times. The HP-UX HIDS agent uses Kernel Audit Data and System Log Data to run these
schedules.
If an alert is generated, it is sent to the HP-UX HIDS System Manager. The System Manager
delivers this message to you as an alert notification.
In addition, the HP-UX HIDS agent executes your alert response programs, which can include
an HP-supplied interface with OpenView Operations as well as other response actions.
24 Introduction