Manualshelf

HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
11121314151617181920
HP-UX HIDS monitors system activity by analyzing data from the following file sources:
Kernel audit data
System log files
HP-UX HIDS analyzes this information against its configured attack scenarios. It then identifies
possible intrusions and misuse immediately following any suspected activity. The suspected activity
simultaneously communicates an alert and detailed information about the potential attack to the
HP-UX HIDS System Manager.
Detection Templates
HP-UX HIDS includes a set of preconfigured patterns, known as detection templates. These templates
are the building blocks used to identify the basic types of unauthorized system activity or security
attacks frequently found on enterprise networks. You can customize the detection templates by
changing certain configurable parameters.
Surveillance Groups
A surveillance group typically consists of related detection templates; for example, those related
to file system intrusions or web server attacks. Each surveillance group provides protection against
one or more types of intrusion.
Surveillance Schedules
A surveillance group is scheduled to run regularly on one or more of the host systems it is protecting,
on one or more days of the week, and at one or more times. This process of configuring surveillance
groups to protect hosts on the basis of a regular weekly schedule is referred to as creating a
surveillance schedule. You can deploy a surveillance schedule on one or more host systems. You
can also create different surveillance schedules for one or more systems within your network.
Kernel Audit Data
Kernel audit logs are generated by a trusted component of the operating system. The audit logs
include information about every system call that is executed on the host. The information also
includes parameters and outcomes, and is the lowest level of data utilized by HP-UX HIDS. This
data can also include information about starting and stopping sessions for users.
NOTE: HP-UX HIDS is independent of security configurations. It does not use the HP-UX C2
auditing capability, nor does it require that the system being monitored to be configured in trusted
mode.
System Log Files
HP-UX HIDS monitors system log files to detect user login and logout, and the start of interactive
sessions.
HP-UX HIDS Secure Communications
Within HP-UX HIDS, there must be secure messaging and protocols for all communications between
its components. HP-UX HIDS secure communication uses the Secure Sockets Layer (SSL) protocol
for client and server authentication, integrity, and privacy. HIDS uses the DES-CBC-SHA cipher
suite with a keysize of 56 for SSL encryption. For more information, see “Setting Up HP-UX HIDS
Secure Communications (page 21).
Glossary of HP-UX HIDS Terms
This section lists and explains the various terms used in this document.
Administration
System
A system node in a network that is configured to run the HP-UX HIDS System Manager.
Agent The HP-UX HIDS component that gathers system data, monitors system activity, and
issues notifications upon detection of an intrusion.
Glossary of HP-UX HIDS Terms 17