can result in attacks that go undetected and reports of many false alerts. HIDS will work but your system may still be vulnerable.
•Prevent the onset of attacks. If your system is vulnerable to attacks, those vulnerabilities will remain even after HIDS is installed.
•Find static security flaws on a system. For example, if the password file contained an illegitimate account before HIDS was installed, that illegitimate account remains a vulnerability even after HIDS is installed and operational. Furthermore, HIDS cannot authenticate users of a valid account. For example, if users share password information, HIDS cannot ascertain the identity of an unauthorized user gaining access to a system via a legitimate account login.
Actions | Enable incoming network traffic for this service by adding the following lines |
| to the /etc/opt/ipf/ipf.conf file when actively managed by |
| Bastille: |
| # do allow hpidsagent incoming connections |
| pass in quick proto tcp from any to any port = hpidsagent flags S keep state |
| keep frags |
Headline | Allow additional incoming network traffic from a select list of IP addresses. |
Default | 192.168.1.0/255.255.255.0 10.10.10.10 |
Description | The basic IPFilter rules setup by |
| services associated with software that |
| on the system. All other incoming traffic is blocked by default. To allow |
| additional incoming traffic based on the IP address of the sending host, enter |
| specific IP addresses here with an optional netmask. Otherwise, answer 'N'. |
Actions | Enable incoming network traffic for select hosts by adding the following lines |
| to the /etc/opt/ipf/ipf.conf file when actively managed by |
| Bastille: |
| # Allow incoming connections from the following select IP |
| addresses: |
| pass in quick from <ip>/<netmask> to any |
Headline | BLOCK incoming ICMP echo requests with IPFilter. |
Default | Y |
Description | ICMP echo or ping is used for device discovery for a number of applications, |
| including System Insight Manager, and OpenView Network node manager. |
| Though this is commonly used by hackers to discover hosts, the information |
| returned to them is minimal. Past vulnerablities of ping are patched. For this |
| reason, you should block incoming |
| management applications to discover the device. |
Actions | Enable incoming network traffic for this service by adding the following lines |
| to the /etc/opt/ipf/ipf.conf file when actively managed by |
| Bastille: |
| # do allow ping incoming connections |
| pass in quick proto icmp from any to any |
Headline | BLOCK incoming Secure Shell connections with IPFilter. |
Default | N |
Description | Secure Shell is the best replacement for Telnet, remote shell, and FTP. It is |
| authenticated and encrypted. If you want remote access to your machine, this |
47