ITS >> IT
Security >> Servers >> HIDS >> FAQ
Frequently Asked Questions and Answers
Why is host-based intrusion detection software (HIDS) required?
HIDS
is required for systems hosting private data and recommended for all
Internet facing servers. Protecting
private data is a top priority on the CU-Boulder campus
and HIDS will provide administrators and the IT Security Office with
immediate knowledge of a potential system compromise.
How does HIDS work?
Host-based Intrusion Detection monitors the system
for unauthorized changes to files and alerts the administrator of suspicious
activity.
What constitutes Internet facing?
Any computer that can be accessed from
outside of the campus network without using the VPN.
What are the benefits of running host-based intrusion detection
software on my server?
HIDS examines a computer system for anomalous behavior as a means
to identify an attack or compromise of the system. Identifying
the source and method of an intrusion will help us to understand what
data is at risk and if other systems may be affected.
Do I have to attend the training?
Because of the complexity of running
the software, ITS recommends administrators attend the no-cost training. In
order to receive a Tripwire Enterprise license, you must attend the training or
fill out a training exemption
form.
I’m already running a flavor of host-based intrusion detection
software, am I exempt?
By running a host-based intrusion detection system,
you satisfy the requirement and do not need to run Tripwire Enterprise or OSSEC.
Please contact the IT Security Office (ITSO) to file an exception.
How do I get Tripwire Enterprise or OSSEC software?
To obtain the Tripwire Enterprise software
and license, please attend the no-cost training or fill out the training
exemption form. You can download OSSEC from ossec.net.
Why did IT Security choose Tripwire Enterprise and OSSEC as the recommended and
supported solutions?
Tripwire Enterprise is a comprehensive HIDS for Unix, Linux,
and Windows systems. OSSEC
works well on Macintosh servers.
Will ITS install Tripwire Enterprise or OSSEC on my server?
No. The IT Security
Office provides no-cost training that will guide you through installation
and configuration of Tripwire Enterprise or OSSEC.
Can I customize my host-based intrusion detection software?
Yes. Administrators
have full control over the installation and configuration of HIDS on
the systems for which they have responsibility.
Does IT Security get notified when an intrusion has been detected?
It
is recommended that administrators include IT Security in alerts that
are sent from their HIDS so that the IT Security Office (ITSO) is aware
of issues and can be better prepared to help in the event of an attack
or compromise. The
no-cost training module will help you configure that option.
What do I do if the software detects an intrusion?
Verify the alert and
contact the IT Security Office (ITSO). Because of the complexity
of HIDS software, there is potential for false positives. The no-cost
training module will cover alert management. If the alert appears
to be an indication of a compromise, contact the ITSO immediately.
Can I get a vendor manual for Tripwire Enterprise or OSSEC?
Yes. The vendor
manuals are available at the Norlin Library. You can check out the
manuals at the reference desk under course number HIDS 1000.
Are there recommended ways to configure and use my HIDS?
Yes. The
no-cost training will cover the recommend configurations for HIDS. Please
visit the recommended practices portion of this website for self-help
information if you have already attended the training session.
Do I have to go through training every time I need to install Tripwire Enterprise
or OSSEC on a new server?
No. You only need to attend the training
once. The training
material is provided on the ITS website if you would like to review
Tripwire Enterprise or OSSEC installation and configuration settings.
How do I get more Tripwire Enterprise licenses?
Contact the IT Service Center to make the request. You will be routed
to the IT Site Licensing office.
How much does it cost to use Tripwire Enterprise or OSSEC?
There is no cost
to run Tripwire Enterprise or OSSEC.
Contact Information
Campus IT Security Office
(303) 735-HELP
security@colorado.edu
|
