HP-UX Host Intrusion Detection System Version 4.2 Release Notes
The next time the GUI is launched, only the first group period will be loaded and scheduled to
run.
Workaround
1. Instead of using the GUI, use your preferred editor to modify the Surveillance Schedule in
the /etc/opt/ids/schedules/<sched name>.txt file, and use the idsadmin
command instead of the GUI to manage agents.
2. Using the GUI, create an identical Surveillance Group for each time period. In the following
example, a duplicate of LoginMonitoringGroup is named as LoginMonitoringGroup2:
GROUPPERIOD
NAME LoginMonitoringGroup
GMT 0
STARTTIME 0:00:0
ENDTIME 23:59:1
GROUP LoginMonitoringGroup
ENDGROUP
ENDGROUPPERIOD
GROUPPERIOD
NAME LoginMonitoringGroup2
GMT 0
STARTTIME 0:00:6
ENDTIME 23:59:6
GROUP LoginMonitoringGroup2
ENDGROUP
ENDGROUPPERIOD
If the System Manager GUI is not closed gracefully, any Surveillance Schedules that were activated
by the System Manager will be deleted
When a Surveillance Schedule is activated by the System Manager GUI, the schedule is maintained
in memory by the System Manager but the corresponding schedule file is deleted from the /etc/
opt/ids/schedules directory. If the System Manager is properly exited, the schedule file is
restored at that time; however, if the System Manager is not closed gracefully (for example, it
receives a kill signal), the schedule file will not be restored.
Workaround
Save the Surveillance Schedule in the Schedule Manager immediately after activating it to ensure
that the schedule is saved persistently in a schedule file in /etc/opt/ids/schedules.
Defect Fixes and Enhancements in HIDS Version 4.2
HIDS version 4.2 includes the following defect fixes and enhancements:
• Enhancements
— The idsadmin tune command supports the filtering of critical severity alerts.
— The HIDS agent avoids filling up the audit logs when Audit is configured to audit the
open() system call.
• Defect Fixes
— The HIDS GUI no longer leave schedules in a format that will cause parsing errors the
next time the GUI is launched after being stopped ungraciously.
— The idsadmin tune command generates well formed tune reports when certain special
characters, such as Control-M (^M), are present in the alert log files.
— The idsadmin command no longer exhibits unexpected behavior in interactive mode
after processing invalid options.
— Setfilexsec warning messages are no longer issued and logged into /etc/rc.log when
HIDS is removed with swremove.
— The following message is no longer issued by the HIDS idssysdsp process:
16 Announcement