Re: What an audit system is more popular?

Lev Assinovsky · ‎06-25-2004

Hi folks!
Which kind of audit system is widely used, the basic one or high-level systems like HIDS?
What do you think?

R. Sri Ram Kishore_1 · ‎06-25-2004

Hi,

It depends on what your tastes are like! HIDS is a very useful product and it comes with a GUI. This in itself can be a very useful feature for some and a put-off for others. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts. Since there are many types of attacks that can bypass network-based detection systems, HP-UX HIDS complements existing network-based security mechanisms, bolstering enterprise security. There is a nice whitepaper on HIDS, which talks abt its various features etc. It is available at:
http://www.hp.com/products1/unix/operating/infolibrary/briefs/intrusiondetectionpb.pdf

You can alternatively use Auditing. My vote is for HIDS. Am sure others have their own preferences.

Check out these links for similar discussions:
a) http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=556609
b) http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=616431

HTH.

Regards,
Sri Ram

"What goes up must come down. Ask any system administrator."

Steven E. Protter · ‎06-25-2004

IDS/9000 intrusion detection system is a very solid product. With all monitors turned on it can slow down a server.

At SEcurity class HP recommended a workstation be dedicated to be the HIDS server with the clients on all important servers and workstations.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Bruno Ganino · ‎06-25-2004

Hi to all...
A HIDS (Host Intrusion Detection Systems) monitors event logs from multiple sources for suspicious activity. Host IDS are best placed to detect computer misuse from trusted insiders and those who have already infiltrated your network.
But...Now exist HIPS (Host Intrusion Prevention Systems).
It is the latest IDS buzzword which not only detect attacks but prevent them as well. Just as some NIDS went INLINE to block attacks, or just send TCP resets to close malicious connections (and are thus called Intrusion Prevention), some Host IDSes are now being proactively secure, implementing integrations with host firewalls.

Bruno

Torino (Turin) +2H

Sridhar Bhaskarla · ‎06-26-2004

Hi Lev,

I vote for default Auditing subsystem. It's easily configurable, no GUI (you may like that feature ;-)) and a handy command 'audisp' to filter the records by user, event, system call, start date and time etc.,.

You can get better granularity with Auditing. I used HIDS also but I still prefer Auditing. The part I love is tracking the commands ran by the user. You can achieve it by enabling the system calls 'execv' and 'execve'. GUI can be painful if there are too many records though it does have a sort feature.

I heard from HP that they are going to combine the log files of Auditing and HIDS which will give us a choice to switch whatever we want.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Lev Assinovsky · ‎06-27-2004

Hello guys!
Thanks for your fast responses!
Let me ask another question.
Since I have just 11.00 I would like to know is there any difference betwen Audits in
HP-Ux 11.00 and 11i?

Bruno Ganino · ‎06-28-2004

Hi Lev, read this thread for difference
http://forums1.itrc.hp.com/service/forums/questionanswer.do?admit=716493758+1088424657505+28353475&threadId=581780

Best Regards
Bruno

Torino (Turin) +2H

Bruno Ganino · ‎06-28-2004

... more
http://www.hp.com/products1/unix/operating/

Torino (Turin) +2H

Lev Assinovsky · ‎06-28-2004

Sorry guys, I was unable to go through
mountains of documentaion. I got lost.

Sridhar Bhaskarla · ‎06-28-2004

Hi,

There are very few commands involved in Auditing. Man pages can help you a lot.

audsys - to manage auditing processes and files

audevent - to add/delete/display the events and system calls

auduser - to add/delete/display the users

audisp - to display audit records.

I couldn't notice any change in 11i's and 11.0 versions of auditing.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Lev Assinovsky · ‎06-28-2004

I know Auditing stuff for 11.00. Currently I'm working on audit files parsing (without
audisp involved). To make sure my app will work in 11i I need to know that audit file format is still the same. The problem is I didn't find anything about that on HP site.
thank you.

Sridhar Bhaskarla · ‎06-28-2004

The best place to look for 'changes' is release notes.

Look at 11i release notes below. That should tell you the enhancements and changes from the previous release.

http://docs.hp.com/hpux/onlinedocs/B3920-90091/B3920-90091.html

If you don't find a mention about the particular component in that document, it's likely (not 100% though) that it remained same.

As far as Auditing is concerned, I didn't notice any difference between 11.0 and 11i including the format of the audit files.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: What an audit system is more popular?

What an audit system is more popular?