HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
surveillance schedule. You can deploy a surveillance schedule on one or more host systems. You
can also create different surveillance schedules for one or more systems within your network.
Kernel Audit Data
Kernel audit logs are generated by a trusted component of the operating system. The audit logs
include information about every system call that is executed on the host. The information also
includes parameters and outcomes, and is the lowest level of data utilized by HP-UX HIDS. This
data can also include information about starting and stopping sessions for users.
NOTE: HP-UX HIDS is independent of security configurations. It does not use the HP-UX C2
auditing capability, nor does it require that the system being monitored to be configured in trusted
mode.
System Log Files
HP-UX HIDS monitors system log files to detect user login and logout, and the start of interactive
sessions.
HP-UX HIDS Secure Communications
Within HP-UX HIDS, there must be secure messaging and protocols for all communications between
its components. HP-UX HIDS secure communication uses the Secure Sockets Layer (SSL) protocol
for client and server authentication, integrity, and privacy. HIDS uses the DES-CBC-SHA cipher
suite with a keysize of 56 for SSL encryption. For more information, see “Setting Up HP-UX HIDS
Secure Communications” (page 24).
Glossary of HP-UX HIDS Terms
This section lists and explains the various terms used in this document.
Administration
System
A system node in a network that is configured to run the HP-UX HIDS System Manager.
Agent The HP-UX HIDS component that gathers system data, monitors system activity, and
issues notifications upon detection of an intrusion.
Agent
system/Agent
host/Agent node
A system node in a network that is configured to run the HP-UX HIDS agent program.
The agent system is also known as the agent host or the agent node.
Aggregated alert An alert that contains the aggregation of two or more file related real-time alerts that
are triggered by the same process or by a group of related processes. As aggregation
is done over a period of time, aggregated alerts by definition are issued after a delay,
unlike real time alerts that are issued as soon as they are generated.
Alert An alert is also referred to as a notification. A message sent by HP-UX HIDS warning
of a suspected or actual intrusion, and usually calling for some sort of action in response.
Typically, the alert is sent to a display window on the management component and
logged as an entry to a log file.
Alert Aggregation
Tuple
A schedule property used to aggregate any alert triggered by a process running a
particular program and any alert triggered by the process’ descendent processes (that
is, child process, grandchild process, and so on).
Audit data Audit data is also referred to as a kernel audit data. The most detailed level of system
data used by HP-UX HIDS. As each system call is executed, its parameters and outcome
are recorded in a log file. HP-UX HIDS uses these records to detect intrusion.
Console See Administration System and System Manager.
Correlator A core component of HP-UX HIDS that interprets and categorizes data sources, correlates
information to known detection templates, and sends notification of any suspected
intrusions to the HP-UX HIDS System Manager.
CSS Cascading Style Sheets (CSS) is a standard stylesheet language used to describe the
presentation of a document written in a markup language such as HTML.
20 Introduction