Manualshelf

HP-UX Host Intrusion Detection System Version 4.7 Release Notes HP-UX 11i v3 (766145-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
11121314151617181920
Then, run the /sbin/init.d/idsagent start commands interactively.
Agents and Kernel Parameters
The administration System Manager can monitor up to 23 agent systems unless you make kernel
parameter changes, as described in Chapter 2, “Configuring HP-UX HIDS, in the Host Intrusion
Detection System Administrator Guide.
Dropped Kernel Audit Records
Depending on the system profile and product configuration, and under heavy loads, HIDS can
drop kernel audit records and therefore miss potential intrusions. The IDDS_MODE configuration
parameter for the kernel dsp in the ids.cf configuration file only controls whether the kernel
auditing subsystem (IDDS) either blocks or drops audit records under heavy loads. Currently, the
user space component of HP-UX HIDS (idskerndsp), which collects audit data from IDDS, cannot
be configured to either block or drop audit records under heavy loads. Instead, the product displays
a notice in the Network Browser error panel that audit records are being dropped. The kernel dsp
parameters, DROP_NOTIFY_INTERVAL and LOW_WATERMARK, control the frequency that reminder
notices are sent and the point at which a notice is sent when audit records are no longer being
dropped, respectively. For more information see Appendix E, “The Agent Configuration File, in
the Host Intrusion Detection System Administrator Guide.
Time Units Cannot be Specified for Template Properties in Schedule Manager
In the Schedule Manager’s template property editing windows, you can not specify time unit (For
example, s = seconds, m = minutes, d = days, w = weeks) for template property time values. Some
time-related template properties are interpreted as being in seconds (example, the fail_interval
and warning_interval properties for the Repeated Failed Logins template), while other properties
are interpreted as being in minutes (for example, the fail_interval property for the Repeated
Failed su commands template).
Schedules that Contain Username Template Values Cannot be run by Version 3.x Agents
Starting with HIDS 4.0, user names and user IDs can be specified for user template properties such
as users_to_monitor and priv_user_list. HIDS v3.x supports only user IDs values for
these user template properties, therefore schedules that contain user names instead of user IDs
cannot be run by v3.x agents. The schedules should only specify user IDs values for these user
template properties if they are to be run by both v3.x and v4.0 (or later) agents.
Error Log File Rotation
When you rotate an agent’s error log file (default location is /var/opt/ids/error.log), the
idsagent process must be restarted by sending it a HUP signal in order for all new errors to appear
in a newly created error log file.
The swverify command reports error after removing the IDS Agent or the IDS Admin Sub-product
from a server that has HIDS bundle installed.
After installing HP-UX HIDS v4.3 on a server, and if IDS Agent™ (IDS-AGT-RUN fileset) or IDS
Admin (IDS-ADM-RUN and IDS-ADM-SHLIB filesets) sub product is removed from the installation,
the swverify IDS command report displays the following error message:
ERROR: File "/opt/ids/lbin/ssl-tool" missing. ERROR: Fileset
"IDS.IDS-AGT-RUN,l=/opt/ids,r=F.04.03.01" had file errors.
NOTE: Similar error will be displayed if IDS Agent sub product is removed from the server.
12 Announcement