HP-UX Host Intrusion Detection System Version 4.7 Release Notes HP-UX 11i v3 (766145-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

longer has a connection to that agent. A status command will reestablish a connection to that

agent.

The idsadmin Tool Cannot Monitor more than one Agent at a Time

The idsadmin tool does not monitor or display alerts in near real-time from multiple agents at the

same time. The idsadmin tool can only monitor and display alerts from one agent at any given

time. To view alerts for multiple agents at the same time, you must use the GUI System Manager

or use the idsadmin --report command to generate a consolidated alert report across multiple

agents.

Display of Schedules Created Using Earlier Versions of HIDS

The GUI System Manager does not display v4.0 or v3.x text schedules that were placed in /etc/

opt/ids/schedules unless these schedules are migrated to HIDS v4.1 or HIDS v4.2 or HIDS

v4.3 or HIDS v4.4. For more information on migrating schedules, see “Migrating Schedules from

Older Versions of HIDS” (page 15)

The Migrator Tool does not Update suppression_targets_to_ignore properly

When migrating schedules from 4.0, the migrator tool does not escape the . character present

in the pathname of the default files (for example, .rhosts) for which alerts are not suppressed.

After migration, you must manually insert the \ character if you do not want to suppress the alerts

for these files.

Limitation While Using the ids.cf File for Configuring Duplicate Alert Suppression

In the /etc/opt/ids/ids.cf file, non-commented lines in a [ENVIRONMENT] ... [END]

section cannot be preceded by commented lines. For example, if you want to configure duplicate

alert suppression through the ids.cf file, you must place the SUPPRESSION line before any

commented lines as shown in the following example:

[ENVIRONMENT]

IDS_USER ids

ALLOW_DUMPS 1

#AGGREGATION 0 # 0(1) to turn alert aggregation off(on).

#SUPPRESSION 0 # 0(1) to turn duplicate alert suppression off(on).

#SUPPRESSION_REPORT 0 # 0(1) to turn reporting of suppressed alerts off(on).

# # these flags overrides flags in schedule file

[END]

To enable duplicate alert suppression, move it to the line before the first commented line of the

section and uncomment it as shown below:

[ENVIRONMENT]

IDS_USER ids

ALLOW_DUMPS 1

SUPPRESSION 0 # 0(1) to turn duplicate alert suppression off(on).

#AGGREGATION 0 # 0(1) to turn alert aggregation off(on).

#SUPPRESSION_REPORT 0 # 0(1) to turn reporting of suppressed alerts off(on).

# # these flags overrides flags in schedule file

[END]

Unexpected Behavior by idsagent when report, resync, or tune Command is Executed

If the /var/opt/ids/gui/logs/{agent}_alert.log file is corrupted, the report, resync,

or tune commands may behave unexpectedly.

SSH does not Perform a Clean Exit after idsagent is Started

After starting idsagent from an ssh login, logging out of the agent system results in the ssh session

hanging indefinitely. As a workaround, log in by entering:

ssh -l root <machine> /usr/dt/bin/dtterm

Known Problems, Limitations, and Fixes 11