HIDS - FAQ

Last Updated: 05/24/2013

General FAQ

Are there recommended ways to configure and use my HIDS?

Yes. The no-cost training will cover the recommend configurations for HIDS.  Please visit the recommended practices portion of this website for self-help information if you have already attended the training session.

Can I customize my host-based intrusion detection software?

Yes.  Administrators have full control over the installation and configuration of HIDS on the systems for which they have responsibility.

Can I get a vendor manual for Tripwire Enterprise or OSSEC?

Yes.  The vendor manuals are available at the Norlin Library. You can check out the manuals at the reference desk under course number HIDS 1000.

Do I have to attend the training?

Because of the complexity of running the software, OIT recommends administrators attend the no-cost training.  In order to receive a Tripwire Enterprise license, you must attend the training or fill out a training exemption form.

Do I have to go through training every time I need to install Tripwire Enterprise or OSSEC on a new server?

No. You only need to attend the training once.  The training material is provided on the OIT website if you would like to review Tripwire Enterprise or OSSEC installation and configuration settings.

Does IT Security get notified when an intrusion has been detected?

It is recommended that administrators include IT Security in alerts that are sent from their HIDS so that the IT Security Office (ITSO) is aware of issues and can be better prepared to help in the event of an attack or compromise.  The no-cost training module will help you configure that option.

How do I get Tripwire Enterprise or OSSEC software?

To obtain the Tripwire Enterprise software and license, please attend the no-cost training or fill out the training exemption form. You can download OSSEC from ossec.net.

How do I get more Tripwire Enterprise licenses?

Contact the IT Service Center to make the request. You will be routed to the IT Site Licensing office.

How does HIDS work?

Host-based Intrusion Detection monitors the system for unauthorized changes to files and alerts the administrator of suspicious activity.

How much does it cost to use Tripwire Enterprise or OSSEC?

There is no cost to run Tripwire Enterprise or OSSEC.

I’m already running a flavor of host-based intrusion detection software, am I exempt?

By running a host-based intrusion detection system, you satisfy the requirement and do not need to run Tripwire Enterprise or OSSEC. Please contact the IT Security Office (ITSO) to file an exception.

What are the benefits of running host-based intrusion detection software on my server?

HIDS examines a computer system for anomalous behavior as a means to identify an attack or compromise of the system.  Identifying the source and method of an intrusion will help us to understand what data is at risk and if other systems may be affected.

What constitutes Internet facing?

Any computer that can be accessed from outside of the campus network without using the VPN.

What do I do if the software detects an intrusion?

Verify the alert and contact the IT Security Office (ITSO).  Because of the complexity of HIDS software, there is potential for false positives.  The no-cost training module will cover alert management.  If the alert appears to be an indication of a compromise, contact the ITSO immediately.

Why did IT Security choose Tripwire Enterprise and OSSEC as the recommended and supported solutions?

Tripwire Enterprise is a comprehensive HIDS for Unix, Linux, and Windows systems.  OSSEC works well on Macintosh servers.

Why is host-based intrusion detection software (HIDS) required?

HIDS is required for systems hosting private data and recommended for all Internet facing servers. Protecting private data is a top priority on the CU-Boulder campus and HIDS will provide administrators and the IT Security Office with immediate knowledge of a potential system compromise.

Will OIT install Tripwire Enterprise or OSSEC on my server?

No.  The IT Security Office provides no-cost training that will guide you through installation and configuration of Tripwire Enterprise or OSSEC.