HP-UX Host Intrusion Detection System

HP-UX Host Intrusion Detection System (HIDS) Release 4.0 is a host-based HP-UX security product for HP computers running HP-UX 11i (HP-UX 11i v1, 11i v2, and 11i v3). HP-UX HIDS Release 4.0 enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts. Since there are many types of attacks that can bypass network-based detection systems, HP-UX HIDS Release 4.0 complements existing network-based security mechanisms, bolstering enterprise security.

Summary of Change

What’s New for Customers Migrating from HP-UX 11i v1 September 2005?

Following are the features new from HIDS version 3.1 on HP-UX 11i v1:

Reducing alert volume by aggregation - HIDS supports a new feature called alert aggregation that can significantly reduce the alert volume for a monitored system. When enabled, alerts that are generated by a process or a group of related processes are aggregated until the processes terminate, or a certain amount of time elapses.
Reducing alert volume by monitoring only critical files - The template property values of the file related preconfigured groups and templates have been modified to monitor only the core critical files to reduce the alert volume. For example, only certain files in the /etc directory (for example /etc/passwd, /etc/shadow) are monitored instead of monitoring the entire directory.
Configuring critical users - In earlier releases, the system templates (login/logout and su) hard coded root and ids as being critical for determining alerts with high severity. Since applications like HP-UX 11i Security Containment support the assignment of root privileges to several users, HIDS must support configuration of critical users. The system templates support new template properties to specify the critical user names.
Supporting specification of usernames and user IDs - The template properties that specify user IDs (for example, priv_uid_list) in prior releases, now support the specification of both user IDs and user names.
Measuring the event rate - A new idscor option (-t) is supported to measure the rate of events generated by a system and monitored by HIDS. Knowing the event rate, one can refer to the HIDS Tuning and Sizing primer (available on http://docs.hp.com) to determine the impact of HIDS on memory and CPU consumption.




	NOTE: The idssysdsp program has been made a non-setuid bit program from HP-UX 11i v3 onwards.

What’s New for Customers Migrating from HP-UX 11i v2 June 2006?

There are no changes from HIDS version 4.0 on HP-UX 11i v2.




	NOTE: The idssysdsp program has been made a non-setuid bit program from HP-UX 11i v3 onwards.

Impact

There are no impacts other than those listed previously.

Compatibility

HP-UX HIDS 4.0 is compatible (can be used with) Release 3.1 and Release 3.0 running on HP-UX 11i v1 and HP-UX 11i v2 operating systems. It is not compatible with Release 2.0, Release 2.1, Release 2.2, and Release 1.0.

Performance

There are no known performance issues.

Documentation

Following manpages are available at /opt/ids/share/man/man1m on installing HP-UX HIDS 4.0:

IDS_checkAdminCert(1M)
IDS_checkAgentCert(1M)
IDS_checkInstall(1M)
IDS_genAdminKeys(1M)
IDS_genAgentCerts(1M)
IDS_importAgentKeys(1M)
idsadmin(1M)
idsagent(1M)
idsgui(1M)
ids.cf(5)

Following documents are available on http://docs.hp.com in the Internet and Security Solutions section:

HP-UX Host Intrusion Detection System Release 4.0 Release Notes
HP-UX Host Intrusion Detection System Administrator’s Guide, Software Release 4.0.

Information about the HP OpenView Operations SMART Plug-in for HP-UX HIDS is available at http://openview.hp.com/products/spi/spi_ids/index.html

Obsolescence

Not applicable.