HP-UX Host Intrusion Detection System Version 4.2 Release Notes
The idsadmin Command Does not Parse Schedules Whose Property Lines Exceed 65535
Characters
If a schedule has a property line exceeding 65535 characters, idsadmin or idsagent does not
parse the schedule but logs an error message. In older versions of HIDS, running these commands
on schedules with property lines exceeding 65535 characters can cause HIDS to dump core.
Limitation when Using idsadmin in Interactive Mode
After an idsadmin tune or report command is executed, and if idsadmin had established
a connection with an agent before the tune or report command was invoked, idsadmin no
longer has a connection to that agent. A status command will restablish a connection to that
agent.
The idsadmin Tool Cannot Monitor more than one Agent at a Time
The idsadmin tool does not monitor or display alerts in near real-time from multiple agents at
the same time. The idsadmin tool can only monitor and display alerts from one agent at any
given time. To view alerts for multiple agents at the same time, you must use the GUI System
Manager or use the idsadmin --report command to generate a consolidated alert report
across multiple agents.
Display of Schedules Created Using Earlier Versions of HIDS
The GUI System Manager does not display v4.0 or v3.x text schedules that were placed in /etc/
opt/ids/schedules unless these schedules are migrated to HIDS v4.1 or HIDS v4.2. For more
information on migrating schedules, see “Migrating Schedules from Older Versions of HIDS”
(page 21)
The Migrator Tool does not Update suppression_targets_to_ignore properly
When migrating schedules from 4.0, the migrator tool does not escape the . character present
in the pathname of the default files (for example, .rhosts) for which alerts are not suppressed.
After migration, you must manually insert the \ character if you do not want to suppress the
alerts for these files.
Limitation While Using the ids.cf File for Configuring Duplicate Alert Suppression
In the /etc/opt/ids/ids.cf file, non-commented lines in a [ENVIRONMENT] ... [END]
section cannot be preceded by commented lines. For example, if you want to configure duplicate
alert suppression through the ids.cf file, you must place the SUPPRESSION line before any
commented lines as shown in the following example:
[ENVIRONMENT]
IDS_USER ids
ALLOW_DUMPS 1
#AGGREGATION 0 # 0(1) to turn alert aggregation off(on).
#SUPPRESSION 0 # 0(1) to turn duplicate alert suppression off(on).
#SUPPRESSION_REPORT 0 # 0(1) to turn reporting of suppressed alerts off(on).
# # these flags overrides flags in schedule file
[END]
To enable duplicate alert suppression, move it to the line before the first commented line of the
section and uncomment it as shown below:
[ENVIRONMENT]
IDS_USER ids
ALLOW_DUMPS 1
SUPPRESSION 0 # 0(1) to turn duplicate alert suppression off(on).
#AGGREGATION 0 # 0(1) to turn alert aggregation off(on).
#SUPPRESSION_REPORT 0 # 0(1) to turn reporting of suppressed alerts off(on).
# # these flags overrides flags in schedule file
[END]
Known Problems, Limitations, and Fixes 13