HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
HP-UX HIDS Components
HP-UX HIDS includes the following components:
• System Manager The System Manager is a GUI that enables you to configure, control, and
monitor the HP-UX HIDS system. Any intrusions detected are reported as alerts.
• Host-based agent The host-based agent gathers system data, monitors system activity, and
issues intrusion alerts.
• Detection templates Detection templates contain the most commonly encountered system attack
patterns. Therefore, once these patterns of activity are recognized as matching with one of
the HP-UX HIDS detection templates, HP-UX HIDS can detect the intrusion.
• Data-gathering components HP-UX HIDS comprises modules that gather and format information
from data sources at various points within the system. Kernel audit data and system log data
are the data sources. HP-UX HIDS uses these components to monitor all resources within the
network.
• Correlation engine HP-UX HIDS uses a correlation process that takes data from system data
sources and determines whether an alert must be issued.
• Secure network communications link HP-UX HIDS uses an encrypted network link as a means
of stopping an attacker from observing the traffic between its components, and possibly sending
false data to disrupt its operations.
• Response capability Alerts are sent to the System Manager. In addition, alerts can be processed
by response programs that you create or install.
For more definitions, see “Glossary of HP-UX HIDS Terms” (page 20).
Figure 1 shows a graphic representation of these components.
The HP-UX HIDS System Manager performs security management and develops surveillance
schedules. These schedules are sent to the HP-UX HIDS Agent where they are run at specified times.
The HP-UX HIDS agent uses Kernel Audit Data and System Log Data to run these schedules.
If an alert is generated, it is sent to the HP-UX HIDS System Manager. The System Manager delivers
this message to you as an alert notification.
In addition, the HP-UX HIDS agent executes your alert response programs, which can include an
HP-supplied interface with OpenView Operations as well as other response actions.
18 Introduction