Manualshelf

HP-UX Host Intrusion Detection System Version 4.4 Release Notes (5900-1612, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
11121314151617181920
Then type in the /sbin/init.d/idsagent start commands interactively.
Agents and Kernel Parameters
The administration System Manager can monitor up to 23 agent systems unless you make kernel
parameter changes, as described in Chapter 2, “Configuring HP-UX HIDS, in the Host Intrusion
Detection System Administrator’s Guide.
Dropped Kernel Audit Records
Depending on the system profile and product configuration, and under heavy loads, HIDS can
drop kernel audit records and therefore miss potential intrusions. The IDDS_MODE configuration
parameter for the kernel dsp in the ids.cf configuration file only controls whether the kernel
auditing subsystem (IDDS) either blocks or drops audit records under heavy loads. Currently, the
user space component of HP-UX HIDS (idskerndsp), which collects audit data from IDDS, cannot
be configured to either block or drop audit records under heavy loads. Instead, the product displays
a notice in the Network Browser error panel that audit records are being dropped. The kernel dsp
parameters, DROP_NOTIFY_INTERVAL and LOW_WATERMARK, control the frequency that reminder
notices are sent and the point at which a notice is sent when audit records are no longer being
dropped, respectively. For more information see Appendix E, “The Agent Configuration File, in
the Host Intrusion Detection System Administrator’s Guide.
The System Manager on PA-RISC 1.1 Systems
The System Manager should be run with J2SE 5.0 (aka Java 1.5.x). For PA-RISC 1.1 systems,
however, Java 1.5.x is not supported; therefore, the System Manager can only be run with Java
1.4.x on PA-RISC 1.1 systems. For the most part, the System Manager will behave correctly using
Java 1.4.x but with some limitations, and can generate numerous warnings or errors in /var/
opt/ids/gui/logs/Trace.log and /var/opt/ids/gui/guiError.log that may result
in very large files that can consume a considerable amount of disk space.
Time Units Cannot be Specified for Template Properties in Schedule Manager
In the Schedule Manager’s template property editing windows, you can not specify time unit (For
example, s = seconds, m = minutes, d = days, w = weeks) for template property time values. Some
time-related template properties are interpreted as being in seconds (example, the fail_interval
and warning_interval properties for the Repeated Failed Logins template), while other properties
are interpreted as being in minutes (for example, the fail_interval property for the Repeated
Failed su commands template).
Schedules that Contain Username Template Values Cannot be run by Version 3.x Agents
Starting with HIDS 4.0, user names and user IDs can be specified for user template properties such
as users_to_monitor and priv_user_list. HIDS v3.x supports only user IDs values for
these user template properties, therefore schedules that contain user names instead of user IDs
cannot be run by v3.x agents. The schedules should only specify user IDs values for these user
template properties if they are to be run by both v3.x and v4.0 (or later) agents.
Error Log File Rotation
When you rotate an agent’s error log file (default location is /var/opt/ids/error.log), the
idsagent process must be restarted by sending it a HUP signal in order for all new errors to appear
in a newly created error log file.
12 Announcement