HP-UX 11i SecurityHost Intrusion Detection Systems (HIDS)
Protection of information from unauthorized disclosure, modification, or loss of use
Host intrusion detection is being deployed as part of a security solution to satisfy regulatory compliance requirements e.g. SOX, HIPPA, and CISP.
The threat: HIDS concentrates on protecting the HP-UX operating environment from attacks by insiders, as well as from attacks initiated by outsiders that cannot be detected or prevented by network intrusion detection systems (NIDS), which monitor network traffic on your perimeter.
The HP-UX 11i builders are the best at detection: HP is in the best position to know the possible intrusion routes and take action upon the high-quality kernel audit data of the operating system. Third-party vendors are unable to integrate detection in the kernel the way HP does to offer the most complete analysis and detection.
HP detection template: HP detection templates guard and focus on areas vulnerable to attack. These are the areas in HP-UX 11i (as in any operating system) that intruders probe and try to exploit. When a profiled event is detected, it is passed to a correlation engine that determines whether vulnerability is being exploited. This unique and sophisticated approach to intrusion detection recognises most current attack scenarios and some future attacks yet to be invented.
HIDS monitors for the exploitation of the following vulnerabilities to detect attacks or misuse:
- Poorly written privileged programs
- Unauthorized File Modification:
- Critical system and application programs
- Configuration files System and application log files
- File additions and deletions
- Critical files made world writable
- Privileged 'setuid' programs created
- Files modified by non-owners
- Monitors logins/logouts, weak password or unauthorized access
- Password guessing: Failed logins and failed switch-user attempts
How it works
Intrusions are detected as they occur and alerts are provided immediately.
- Alerts are logged to the Alert Browser in colour, based on three levels of severity.
- Alerts provide detailed information about what triggered the alert, including the attributes of the critical file, the pathname of the program that triggered the alert, as well as the user ID, group ID, process ID, and parent process ID associated with the execution of the program.
- An alert triggered by a successful login contains the name and IP address of the remote host from which the login was made, as well as the pseudo device associated with the login session. This is helpful in identifying attackers for action based on security policy.
- Alerts are also written to a local log file for archiving and to allow the Administrative GUI to retrieve missed alerts that were generated when it was either not running or could not connect to HIDS sensors on the monitored host(s).
Alerts can also trigger execution of user defined actions. For example, users can have specific alerts result in e-mail or pager notifications being sent out. This response mechanism is provided by way of execution of a user specified executable (a shell script or a binary executable).
In addition to sending user notifications, response scripts can be used to carry out other tasks automatically such as restoring defaced web pages from a reliable source (e.g., read only media).Management features
The Host Management GUI allows the user to manage multiple host systems, run surveillance schedules and categorise multiple host systems. For example, a surveillance group of hosts might be tagged as application servers or database servers. Subsequent selection of all application servers allows closer monitoring or running specific surveillance schedules for that class of server.
The System Management GUI identifies what surveillance schedules are running on each host system. Combining one or more detection templates creates a surveillance group. Surveillance groups can form strategic protection for appropriate hosts such as application servers.
Surveillance groups or patterns that are mapped to schedule times create surveillance schedules.Surveillance schedules can be tailored based on the applications and activity on the host. Surveillance schedules might be created for backup operations, test operations, and maintenance and established for tagged surveillance groups of servers.HP OpenView OVO Smart Plug-in
The system can also be integrated with HP OpenView Operations (OVO) by using the smart plug-in for HIDS. OVO templates are used to monitor important log files, vital processes and near real-time alerts. OVO:
- Reports the overall availability of the HIDS applications
- Uses an application bank to configure and manage the software.
- Provides for role-based monitoring and administration based on user profiles
As soon as the HIDS application is installed, it immediately provides intrusion detection. HIDS provides pre-configured detection templates, surveillance groups, and surveillance schedules. You will want to tailor these to your operating environment, but basic detection and alerting are available immediately.Data sources monitored include:
- Kernel audit data that is generated by an audit system specifically designed for HIDS.
- System log files containing records for login (ssh, ftp, telnet, rlogin, etc.), logout, and switch-user (su) sessions, as well as for unsuccessful login and su attempts.
Communication between the Administrative GUI and the HIDS sensors on the monitored hosts is secured, both for integrity and privacy, using the Secure Socket Layer (SSL) protocol.
At a Glance
Installation involves the following:
- Installing the administrative software GUI;
- Installing agent software on each host system requiring intrusion detection;
- and Generating and distributing X.509 Certificates.
Certificate management is self-contained and does not require a pre-existing public key infrastructure (PKI).