HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

Data source System data monitored by HP-UX HIDS to detect intrusions. Examples of data sources

are the wtmp[s]/btmp[s] and su log files for monitoring logins, logouts, and su

attempts, as well as kernel audit records produced by the kernel audit subsystem (IDDS)

for monitoring for file system modifications and for signs of other intrusions or misuse.

Data Source

Process (DSP)

A component of the HP-UX HIDS agent that reads the data sources and presents the

information for alert calculation.

Detection template Basic building block or pattern to be used to combat security attacks on systems.

Duplicate alert An alert whose attacker (uid), target, type of attack (action), and program name

attributes are same as one of the alerts already reported by HIDS, within the specified

Suppression Count and Suppression Interval values.

Duplicate Alert

Suppression (DAS)

A feature that suppresses duplicate alerts from being generated and reported to the

HIDS administrator console. This feature is applicable only for kernel related templates

except for the race condition and buffer overflow templates.

HP-UX Containers

(HP-UX SRP)

HP-UX Containers - formerly Secure Resource Partitions (SRP) provides an environment

for consolidating multiple workload environments within a single image of the HP-UX

11i operating system. It is a component of the Virtualization Continuum for HP-UX and

offers high efficiency in resource utilization and performance, while reducing the number

of operating systems to manage. It enhances the capabilities and ease of deployment

for high availability environments, including Serviceguard.

HTML HyperText Markup Language (HTML) is a markup language for creating web pages.

Intrusion An intrusion is also referred to as an attack. A violation of system security policy by

an unauthorized outsider. An intrusion can include intruding in to an unauthorized

network area, accessing certain systems within the network, accessing certain files, or

running certain programs.

Intrusion Detection

Data Source (IDDS)

The HP-UX kernel-based audit system used by HPUX HIDS to monitor the host system

for potential intrusion activities.

Intrusion Detection

System (IDS)

An automated system that detects a security violation on a system or a network.

Kernel The core of the operating system. It is the compiled code responsible for managing the

system’s resources, such as memory, file system, and input and output.

Managed host A host that is actively managed by the HIDS Administrative GUI or CLUI.

Open View

Operations (OVO)

A distributed client and server software solution designed to detect, solve, and prevent

problems occurring in networks, systems, and applications in any enterprise. OVO is

a scalable and flexible solution that can be configured to meet the requirements of any

IT organization and its users. In addition, you can expand the applications of OVO

by integrating management applications from HP OpenView partners or other vendors.

Response Script Once HP-UX HIDS detects an intrusive activity, it sends an alert to the System Manager.

In addition, it executes a set of programs located on the system that was attacked. This

script is passed with the details of the alert, and can take whatever actions the system

administrator requires.

Secure Sockets

Layer (SSL)

A protocol for sending data across a network that prevents an eavesdropper from

observing or modifying any data transmitted. It is used for all HP-UX HIDS communication

between agent systems and the administration system.

Summary alert An alert containing a summary of duplicate, suppressed alerts of a previously reported

alert.

Suppression count The maximum number of duplicate alerts suppressed for a given alert.

Suppression

interval

The maximum elapsed time during which duplicate alerts of a particular alert are

suppressed.

Surveillance Group A group of detection templates. For example, all detection templates related to checking

for file system intrusions that can be grouped into a “File System” surveillance group.

Surveillance

Schedule

A set of configurable surveillance groups to be deployed on one or more systems on

a scheduled basis. A particular surveillance group is assigned to run on a given system

at one or more particular times of the day on one or more given days of the week.

Glossary of HP-UX HIDS Terms 21