Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide: HP-UX 11i v1, HP-UX 11i v2 and HP-UX 11i v3 > Chapter 1 Introduction

HP-UX HIDS Components
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

HP-UX HIDS includes the following components:

  • System Manager The System Manager is a GUI that enables you to configure, control, and monitor the HP-UX HIDS system. Any intrusions detected are reported as alerts.

  • Host-based agent The host-based agent gathers system data, monitors system activity, and issues intrusion alerts.

  • Detection templates Detection templates contain the most commonly encountered system attack patterns. Therefore, once these patterns of activity are recognized as matching with one of the HP-UX HIDS detection templates, HP-UX HIDS can detect the intrusion.

  • Data-gathering components HP-UX HIDS comprises modules that gather and format information from data sources at various points within the system. Kernel audit data and system log data are the data sources. HP-UX HIDS uses these components to monitor all resources within the network.

  • Correlation engine HP-UX HIDS uses a correlation process that takes data from system data sources and determines whether an alert must be issued.

  • Secure network communications link HP-UX HIDS uses an encrypted network link as a means of stopping an attacker from observing the traffic between its components, and possibly sending false data to disrupt its operations.

  • Response capability Alerts are sent to the System Manager. In addition, alerts can be processed by response programs that you create or install.

    For more definitions, see “Glossary of HP-UX HIDS Terms”.

Figure 1-1 shows a graphic representation of these components.

The HP-UX HIDS System Manager performs security management and develops surveillance schedules. These schedules are sent to the HP-UX HIDS Agent where they are run at specified times. The HP-UX HIDS agent uses Kernel Audit Data and System Log Data to run these schedules.

If an alert is generated, it is sent to the HP-UX HIDS System Manager. The System Manager delivers this message to you as an alert notification.

In addition, the HP-UX HIDS agent executes your alert response programs, which can include an HP-supplied interface with OpenView Operations as well as other response actions.

Figure 1-1 HP-UX HIDS Components

HP-UX HIDS Components

HP-UX HIDS monitors system activity by analyzing data from the following file sources:

  • Kernel audit data

  • System log files

HP-UX HIDS analyzes this information against its configured attack scenarios. It then identifies possible intrusions and misuse immediately following any suspected activity. The suspected activity simultaneously communicates an alert and detailed information about the potential attack to the HP-UX HIDS System Manager.

Detection Templates. HP-UX HIDS includes a set of preconfigured patterns, known as detection templates. These templates are the building blocks used to identify the basic types of unauthorized system activity or security attacks frequently found on enterprise networks. You can customize the detection templates by changing certain configurable parameters.

Surveillance Groups. A surveillance group typically consists of related detection templates; for example, those related to file system intrusions or web server attacks. Each surveillance group provides protection against one or more types of intrusion.

Surveillance Schedules. A surveillance group is scheduled to run regularly on one or more of the host systems it is protecting, on one or more days of the week, and at one or more times. This process of configuring surveillance groups to protect hosts on the basis of a regular weekly schedule is referred to as creating a surveillance schedule. You can deploy a surveillance schedule on one or more host systems. You can also create different surveillance schedules for one or more systems within your network.

Kernel Audit Data. Kernel audit logs are generated by a trusted component of the operating system. The audit logs include information about every system call that is executed on the host. The information also includes parameters and outcomes, and is the lowest level of data utilized by HP-UX HIDS. This data can also include information about starting and stopping sessions for users.

NOTE: HP-UX HIDS is independent of security configurations. It does not use the HP-UX C2 auditing capability, nor does it require that the system being monitored to be configured in trusted mode.

System Log Files. HP-UX HIDS monitors system log files to detect user login and logout, and the start of interactive sessions.

HP-UX HIDS Secure Communications

Within HP-UX HIDS, there must be secure messaging and protocols for all communications between its components. HP-UX HIDS secure communication uses the Secure Sockets Layer (SSL) protocol for client and server authentication, integrity, and privacy. HIDS uses the DES-CBC-SHA cipher suite with a keysize of 56 for SSL encryption. For more information, see “Setting Up HP-UX HIDS Secure Communications”.



HP-UX HIDS Functionality
  		 


Glossary of HP-UX HIDS Terms  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.