HP-UX Host Intrusion Detection System Administrator’s Guide Software Release 3.0 Edition 4 Customer Order Number: ONLINE ONLY Manufacturing Part Number : J5083-90013 December 2004 Printed in United States of America © Copyright 2000-2001 and 2004 Hewlett-Packard Development Company, LP.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Trademarks UNIX is a registered trademark of The Open Group. Java is a US trademark of Sun Microsystems, Inc. MS-DOS and Microsoft are U.S. registered trademarks of Microsoft Corporation. OSF/Motif is a trademark of The Open Group. X Window System is a trademark of The Open Group. Revision History This guide’s printing date and part number indicate its current edition. The printing date changes when a new edition is printed.
Conventions We use the following typographical conventions. iv audit (5) An HP-UX manpage. audit is the name and 5 is the section in the HP-UX Reference. On the web and on the Instant Information CD, it may be a hot link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5 audit” to view the manpage. See man (1). Book Title The title of a book. On the web and on the Instant Information CD, it may be a hot link to the book itself. KeyCap The name of a keyboard key.
Contents 1. Overview Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Why Do You Need Intrusion Detection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Loss of Financial Assets . . . . . .
Contents Operations Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic Screen Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting Entries in Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Searching Entries . . . . . . . . . . . . . . . . . .
Contents Undoing and Redoing Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Saving a Surveillance Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Detection Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modifying a Property Value In a Template . . . . . . . . . . . . . . . . . . . .
Contents General Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sorting Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Searching for the Next Unseen Entry . . . . . . . . . .
Contents Modification of Another User’s File Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Non-owned File Being Modified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Login/Logout Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Login/Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Remote Communication Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 F. Messages Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Agent Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 System Manager Messages . . . . . . . .
Contents Original SSLeay License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 HP Software License Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents xii
1 Chapter 1 Overview 1
Overview Summary Summary This chapter introduces you to the HP-UX Host Intrusion Detection System (HP-UX HIDS), an HP-UX product that enhances local host-level security within your network.
Overview Why Do You Need Intrusion Detection? Why Do You Need Intrusion Detection? To answer this question, you must first consider a more basic security issue. What threats are faced by almost all businesses today? Loss of Financial Assets Financial institutions are very sensitive to the damage a single rogue individual in a point of trust can do. A similar threat exists in the electronic sphere. Every day, billions of dollars are transferred around the world over computer networks.
Overview Why Do You Need Intrusion Detection? Who Are the Perpetrators? Where do these threats come from? It may be surprising to learn that the perpetrators most often are not nefarious attackers who roam the Internet, but your very own employees, whom you trust with your critical data and systems. Disgruntled employees who have an intimate knowledge of your systems and network are far more likely to abuse their positions of trust.
Overview Why Do You Need Intrusion Detection? Exploitation of Critical Infrastructure Elements As more business is done over the Internet, more trust is placed in critical infrastructure elements: the routers, hubs, and web servers that move data around the net. They also include DNS name servers that allow users to access www.mycompany.com from their browsers. A DNS server is a computer that maps names such as www.company.com to an Internet address such as 10.2.3.4.
Overview Why Do You Need Intrusion Detection? A further complication in deploying a firewall is that it is difficult to establish clearly where the boundary exists between inside and outside. At one time it was obvious that the Internet was outside and the intranet was inside. However, more and more corporations are joining their intranets in multiple-partner arrangements, often termed extranets.
Overview Why Do You Need Intrusion Detection? Where Does Intrusion Detection Fit In? The amount of information that flows through a typical corporate intranet and the level of activity on most corporate servers make it impossible for any one person to continually monitor them by hand. Traditional network management and system monitoring tools do not address the issue of helping to ensure that systems are not misused and abused.
Overview What HP-UX HIDS Does What HP-UX HIDS Does HP-UX HIDS is an HP-UX intrusion detection product that can enhance local host-level security within your network. It does this by automatically monitoring each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If successful, such intrusions could lead to the loss of availability of key systems or could compromise system integrity.
Overview What HP-UX HIDS Does Not Do What HP-UX HIDS Does Not Do It is imperative that you be aware of the following information so that you do not assume that HP-UX HIDS will solve all security related problems. You are solely responsible for securing your system and for implementing well-defined security policies and procedures. HP-UX HIDS is not a replacement for such comprehensive security policies and procedures.
Overview HP-UX HIDS Components HP-UX HIDS Components HP-UX HIDS consists of the following components. See “Glossary of HP-UX HIDS Terms” on page 13 for more definitions. • Management interface. The System Manager allows the administrator to configure, control, and monitor the HP-UX HIDS system. Any intrusions detected are reported here as alerts. • Host-based agent. The agent gathers system data, monitors system activity, and issues intrusion alerts. • Detection templates.
Overview HP-UX HIDS Components In addition, HP-UX HIDS Agent executes your Alert Response Programs, which can include an HP-supplied interface with OpenView Operations as well as Other Response Actions. Figure 1-1 HP-UX HIDS Components How the Components Interact to Detect Intrusions HP-UX HIDS examines information about system activity from a variety of data sources. These include • • kernel audit data system log files HP-UX HIDS analyzes this information against its configured attack scenarios.
Overview HP-UX HIDS Components Detection Templates HP-UX HIDS includes a set of preconfigured patterns, known as detection templates. These templates are the building blocks used to identify the basic types of unauthorized system activity or security attacks frequently found on enterprise networks. You can customize the detection templates by changing certain configurable parameters. Surveillance Groups Different combinations of detection templates are combined into surveillance groups.
Overview Glossary of HP-UX HIDS Terms Glossary of HP-UX HIDS Terms /etc/hosts File of host names and IP addresses that are known to the local system. Administration System A system (node) in your network that is configured to run the HP-UX HIDS System Manager program. See also System Manager Agent The HP-UX HIDS component that gathers system data, monitors system activity, and issues notifications upon detection of an intrusion.
Overview Glossary of HP-UX HIDS Terms Intrusion Also referred to as an attack. A violation of system security policy by an unauthorized outsider or by an otherwise authorized user. A violation could include improperly accessing the network, accessing certain systems within the network, accessing certain files, or running certain programs. Intrusion Detection Data Source (IDDS) The HP-UX HIDS audit system that monitors the system for potential intrusion activities.
Overview Glossary of HP-UX HIDS Terms System Manager The graphical user interface (GUI) through which you control the operations of HP-UX HIDS and where notification of alerts occurs. Chapter 1 Virus A piece of potentially malicious code that, when run, attaches itself to (“infects”) other programs, running again when those programs are run. Vulnerability A point at which a system can be subverted by an attacker. Vulnerabilities result from flaws in coding or design.
Overview Glossary of HP-UX HIDS Terms 16 Chapter 1
2 Chapter 2 Configuration 17
Configuration Summary Summary This chapter describes how to configure your HP-UX HIDS System Manager and Agent software. For information on installing the software, please refer to the Release Notes cited in “Documentation” on page 2.
Configuration Introduction Introduction Once you have installed or updated your HP-UX HIDS software (see the Release Notes cited in “Documentation” on page 2), you need to complete the configuration with the following required and optional steps. Required Before you run HP-UX HIDS, you must complete the following configuration steps.
Configuration Setting Up the HP-UX HIDS Secure Communications Setting Up the HP-UX HIDS Secure Communications HP-UX HIDS provides a secure communication environment between its administration System Manager and its agent processes via the Secure Sockets Layer (SSL) protocol. (See “Glossary of HP-UX HIDS Terms” on page 13.
Configuration Setting Up the HP-UX HIDS Secure Communications $ IDS_genAdminKeys install This creates the Root Certification Authority (Root CA) and the administration certificate. They are stored in the directory /etc/opt/ids/certs/admin. The keyword install is optional. At a later time, if you need to regenerate the administration certificate (for example, if the current certificate has expired) without invalidating the agent certificates you make in substep 1.
Configuration Setting Up the HP-UX HIDS Secure Communications If no IP address or host name is found, you are asked if you want to create the bundle anyway; no entry is placed in the temporary file. If multiple IP addresses are found, no entry is placed in the temporary file; the bundle is created without comment. When the System Manager is started later, any entries in the temporary file are added to the host list table, displayed on the Host Manager screen.
Configuration Setting Up the HP-UX HIDS Secure Communications * * They are stored in /var/opt/ids/tmp as hostname.tar.Z * * You should now transfer the bundles via a secure channel * to the IDS agent machines. * * On each agent you will need to run the IDS_importAgentKeys * script to finish the installation. ************************************************************ The agent certificate bundles are generated and stored in the files: /var/opt/ids/tmp/myhost1.tar.Z /var/opt/ids/tmp/myhost2.tar.
Configuration Setting Up the HP-UX HIDS Secure Communications Private key files are protected by having read and write file permissions for user ids only. Step 3. Install the Keys on Each Host On each agent system, install the bundle of keys generated for that host. This step assumes that you placed the agent certificate bundle in the /var/opt/ids/tmp directory. a. Become user ids: $ su - ids b. Change directory to /opt/ids/bin: $ cd /opt/ids/bin c.
Configuration Configuring a Multihomed Agent System Configuring a Multihomed Agent System A multihomed system is one that has multiple connections to a network. Typically, a multihomed system has more than one network interface card, each with a unique address. While the system may have only one host name, the name resolution software will usually return the IP address of one of the interfaces on the system.
Configuration Configuring a Multihomed Agent System # IDS_LISTEN_IFACE to IDS_LISTEN_IFACE 1.2.3.4 Step 7. Save the file with your changes. Step 8. If the agent is running, force the agent to reread the configuration file by sending it a HUP signal; see “Forcing Active Agent to Reread Configuration File” on page 205. If you enter an invalid IDS_LISTEN_IFACE parameter, the HP-UX HIDS software agent will report an error when you attempt to start it.
Configuration Configuring a Multihomed Administration System Configuring a Multihomed Administration System A multihomed system is one that has multiple connections to a network. Typically, a multihomed system has more than one network interface card, each with a unique address. While the system may have only one host name, the name resolution software will usually return the IP address of one of the interfaces on the system.
Configuration Configuring a Multihomed Administration System Step 6. Add your interface address chosen in step 2 above after the equals sign. For example, change INTERFACE= to INTERFACE=1.2.3.4 Step 7. Save the file with your changes. Step 8. If the System Manager is running, stop and restart it. Step 9. On each agent host, become user ids: $ su - ids Step 10. Edit the agent configuration file; for example: $ vi /etc/opt/ids/ids.cf Step 11. Locate the REMOTEHOST parameter in the [RemoteSA] section. See ids.
Configuration Configuring a Loopback System Configuring a Loopback System On a non-networked system (no IP address) or for testing purposes, you may want to set up the administration system in a loopback arrangement. This allows only a locally running agent to communicate with the System Manager on the same system; no other agent systems can be monitored. To configure a loopback system Step 1. On the administration system, become user ids: $ su - ids Step 2.
Configuration Configuring Ports Configuring Ports When HP-UX HIDS is first installed on the administration and agent systems, the ports HP-UX HIDS uses are configured into the /etc/services file on each system, as follows (the #comments may vary): hpidsadmin hpidsagent 2984/tcp 2985/tcp #HP-UX Host IDS admin #HP-UX Host IDS agent These are the HP standard port numbers, registered with the Internet Assigned Number Authority (IANA).
Configuration Enabling Large Numbers of Agents Enabling Large Numbers of Agents If you have more than about 20 agent systems, you may have to modify a kernel parameter and/or a network parameter.
Configuration Enabling Large Numbers of Agents Step 9. If your new value is different, you will need to create a new kernel and reboot. Follow the steps provided by SAM. Enabling Over 20 Inbound Requests The HP-UX HIDS administration system communicates with agent systems with the TCP protocol. On some systems, the TCP parameter, tcp_conn_request_max, is set initially to allow up to 20 inbound requests to be active at one time. If you have a larger number of agent systems, this value may be inadequate.
Configuration Restricting Permissions Restricting Permissions HP-UX HIDS files and programs are delivered with the strictest usable permission. In general, only user ids is allowed any access and superuser (root) is not permitted to execute the programs. In addition, most files must be owned by user ids or HP-UX HIDS will not run. The proper runtime permissions are given in Table 2-2.
Configuration Accessing Manpages 34 Chapter 2
3 Chapter 3 Getting Started 35
Getting Started Summary Summary This chapter gives you an overview of the operation of the HP-UX HIDS system and the procedures you can use to get the System Manager and agents up and running on your administrative and monitored systems.
Getting Started Introduction Introduction First and most important in the HP-UX HIDS system is to have appropriate surveillance schedules running at the appropriate times on the agent hosts. Next in importance is to carefully monitor and act on the alerts. To accomplish the first, you need to create one or more surveillance schedules with the System Manager and download them to the agent hosts. See “Starting HP-UX HIDS for the First Time” on page 38.
Getting Started Starting HP-UX HIDS for the First Time Starting HP-UX HIDS for the First Time This procedure is a synopsis of the steps required to start the HP-UX HIDS System Manager and agents for the first time. As you do this, your systems will benefit immediately form the protection of intrusion detection while you learn the specifics of the software and tune your configuration to fit your requirements. Set up hosts and run schedules Step 1.
Getting Started Starting HP-UX HIDS for the First Time Step 6. Go to the Host Manager screen and select the agent hosts that you want to monitor. These are the ones you started idsagent on in step 3. As described in “Setting Up the HP-UX HIDS Secure Communications” on page 20, the certificate script may have provided you with a selection of agent hosts. Checkmark the Monitored box for each host. See Chapter 6, “Host Manager Screen,” on page 83. Step 7. Go to the System Manager screen.
Getting Started Operations Screens Operations Screens The HP-UX HIDS System Manager has five operations screens that you use to manage the product’s operations, receive operator input, and display HP-UX HIDS output: • System Manager The System Manager screen displays the current status of the agent systems and controls agent operations. It is launched automatically when the System Manager starts. All other operations screens can be accessed from the Edit or View menus of the System Manager screen.
Getting Started Basic Screen Actions Basic Screen Actions There are certain processes that are performed in a similar way in each of the operations screens. These include: • Selecting items from a list. • Searching for particular items in a list. • Sorting a list. • Getting help Selecting Entries in Lists To select one or more entries in a list, • To select a single entry, left-click anywhere within the entry row.
Getting Started Basic Screen Actions 42 Chapter 3
4 Chapter 4 System Manager Screen 43
System Manager Screen Summary Summary This chapter describes the tasks that you perform on the HP-UX HIDS System Manager screen.
System Manager Screen The System Manager Screen The System Manager Screen From the System Manager screen (Figure 4-1), you control and monitor the activities of surveillance schedules on agent host systems.
System Manager Screen The System Manager Screen Starting the HP-UX HIDS System Manager The HP-UX HIDS System Manager program, idsgui, must run as user ids. You start it from the shell. To start the HP-UX HIDS System Manager Step 1. Log in to the administration system as user root. Step 2. Switch to user ids. # su ids Step 3. Start the HP-UX HIDS System Manager: $ /opt/ids/bin/idsgui The System Manager screen (Figure 4-1) is displayed. (It takes about 16 to 20 seconds for the screen to appear.
System Manager Screen On the System Manager Screen On the System Manager Screen The System Manager screen (Figure 4-1) has a number of menus and buttons, which are described in the procedures in the following sections. It also has two lists — Schedules and Monitored Nodes — and a status line, which are described here. • Schedules list: the names of the available surveillance schedules that can be downloaded to agent hosts. Left-click to select one; double-left-click to view or edit it.
System Manager Screen Getting the Status of Agent Hosts Getting the Status of Agent Hosts When the System Manager is started, it automatically checks the status of all agent hosts if Automatic Startup Status Poll is enabled (see “General Preferences Tab” on page 95). If the Status field information does not appear to reflect the correct information or displays Status Unknown, you can update the status information for one or more hosts. To get the status of agent hosts On the System Manager screen, Step 1.
System Manager Screen Resynchronizing Agent Hosts Resynchronizing Agent Hosts The HP-UX HIDS agent program can continue to detect alerts when the HP-UX HIDS System Manager is not running. In this instance, as each agent detects intrusions, it records them in a log file on the agent host. When you restart the HP-UX HIDS System Manager, the following events occur: 1. The System Manager locates its own log files for each agent host in the Monitored Host list. 2.
System Manager Screen Activating a Schedule on Agent Hosts Activating a Schedule on Agent Hosts To provide intrusion detection, you must activate surveillance schedules on the agent hosts. You also use this procedure to replace a schedule on one or more hosts. To activate a surveillance schedule on agent hosts On the System Manager screen, Step 1. In the Monitored Hosts list, select the hosts you want to be activated. Their Status fields must show Available, Scheduled, or Running. Step 2.
System Manager Screen Stopping Schedules on Agent Hosts Stopping Schedules on Agent Hosts When you stop a surveillance schedule on an agent host, the schedule is removed from the agent and ceases to be scheduled or running. The agent program continues running, ready to accept future actions. If you want to replace one schedule with another, just activate the new one; see “Activating a Schedule on Agent Hosts” on page 50. To stop a surveillance schedule on agent hosts On the System Manager screen. Step 1.
System Manager Screen Starting HP-UX HIDS Agents Starting HP-UX HIDS Agents Normally (after valid certificates have been imported), the HP-UX HIDS agent is started automatically (with /sbin/init.d/idsagent start) when the agent host is booted. To start it manually, use this procedure. To start the agent Step 1. On each agent host, do one of: • Log in to the agent system as superuser (root) and enter the command: # /sbin/init.
System Manager Screen Halting HP-UX HIDS Agents Halting HP-UX HIDS Agents You may want to stop the agent process on one, many, or all agent hosts for system maintenance or other reasons. Normally, you halt agent hosts from the System Manager. However, it may occasionally be necessary to halt the agent software directly from the agent host.
System Manager Screen Accessing Other Screens Accessing Other Screens Go to Schedule Manager Screen The Schedule Manager screen lets you create and modify surveillance schedules. To go to the Schedule Manager screen On the System Manager screen, Step 1. Optionally, select a schedule in the Schedules panel. Step 2. Do one of the following: • • • Choose the Edit > Schedule Manager menu item Press Ctrl-S Double-click in the Schedules panel. The Schedule Manager screen is displayed.
System Manager Screen Accessing Other Screens Go to Network Node Screen The Network Node screen displays the alerts and errors for a selected agent host. To view the Network Node screen for an agent host On the System Manager screen, Step 1. In the Monitored Hosts list, select the hosts you want to view. Step 2.
System Manager Screen Accessing Other Screens 56 Chapter 4
5 Chapter 5 Schedule Manager Screen 57
Schedule Manager Screen Summary Summary This chapter tells you how to configure your HP-UX HIDS surveillance schedules, surveillance groups, and detection templates.
Schedule Manager Screen The Schedule Manager The Schedule Manager The Schedule Manager screen helps you create and configure HP-UX HIDS surveillance schedules, surveillance groups, and detection templates. On this screen, you can: • Add, rename, delete, and define surveillance schedules, including which surveillance groups make up a schedule.
Schedule Manager Screen The Schedule Manager Creating a Surveillance Schedule To create a surveillance schedule Step 1. Create a surveillance schedule name. The schedule will contain one or more surveillance groups. See “Configuring Surveillance Schedules” on page 62. You should create a new schedule • • • If a current schedule does not include the groups you want If the group or template properties need to be different If you need the same group and templates to run at different times Step 2.
Schedule Manager Screen The Schedule Manager Displaying the Schedule Manager Screen To display the Schedule Manager screen Step 1. From the System Manager screen, do one of: • • • Choose the Edit > Schedule Manager menu option Press Ctrl-S Double-click anywhere in the Schedules panel or on a schedule name The Schedule Manager screen (Figure 5-1) is displayed with the Configure tab active.
Schedule Manager Screen Configuring Surveillance Schedules Configuring Surveillance Schedules A surveillance schedule consists of one or more surveillance groups that you want to run on a host system during particular hours on particular days of the week. After a surveillance schedule has been created, it can later be modified, copied or deleted. The predefined surveillance schedules, distributed with HP-UX HIDS, are read-only. They may be copied but not resaved or deleted.
Schedule Manager Screen Configuring Surveillance Schedules a. Press the Copy button on the Schedules panel. This opens the Copy Surveillance Schedule dialog box (Figure 5-3). Figure 5-3 Copy Surveillance Schedule Dialog b. Enter a name in the input field. Valid characters are alphanumeric and underscore; the first character must be alphanumeric. Schedule names are case-sensitive. If you include invalid characters, you will be prompted to have them replaced with underscores. c. Click OK to accept it.
Schedule Manager Screen Configuring Surveillance Schedules NOTE The changes you make to a schedule are not propagated to any agent host until you activate it from the System Manager screen. NOTE You cannot modify, rename, or delete a surveillance schedule if it is currently scheduled or running on an agent host. For more information, see Chapter 4, “System Manager Screen,” on page 43. Renaming a Surveillance Schedule NOTE You cannot rename any predefined schedule, distributed with HP-UX HIDS.
Schedule Manager Screen Configuring Surveillance Schedules NOTE You cannot modify, rename, or delete a surveillance schedule if it is currently scheduled or running on an agent host. For more information, see Chapter 4, “System Manager Screen,” on page 43. Deleting a Surveillance Schedule NOTE You cannot delete any predefined schedule, distributed with HP-UX HIDS. See “Predefined Surveillance Schedules and Groups” on page 81. To delete a surveillance schedule Step 1.
Schedule Manager Screen Configuring Surveillance Schedules Saving a Surveillance Schedule After a surveillance schedule has been created or modified, it is a good idea to save it to disk. This provides security against system failures. If you do not save it yourself, it will be saved automatically when you exit from the System Manager screen. NOTE You cannot save any predefined schedule, distributed with HP-UX HIDS. Copy it instead.
Schedule Manager Screen Configuring Surveillance Groups Configuring Surveillance Groups Surveillance groups are the building blocks of surveillance schedules. They are made up of one or more detection templates. The predefined surveillance groups, distributed with HP-UX HIDS, are read-only. They may be copied but not resaved or deleted. If you modify one, you can only save the changes under a new name. They are listed in “Predefined Surveillance Schedules and Groups” on page 81.
Schedule Manager Screen Configuring Surveillance Groups Step 3. Create a name for the new surveillance group. a. Click the Copy button on the Surveillance Groups panel. This opens the Copy Surveillance Group dialog box (Figure 5-6). Figure 5-6 Copy Surveillance Group Dialog b. Enter a name in the input field. Valid characters are alphanumeric and underscore; the first character must be alphanumeric. Schedule names are case-sensitive.
Schedule Manager Screen Configuring Surveillance Groups Renaming a Surveillance Group NOTE You cannot rename any predefined group, distributed with HP-UX HIDS. Copy it instead. See “Copying a Surveillance Group” on page 67 and “Predefined Surveillance Schedules and Groups” on page 81. To rename a surveillance group Step 1. Go to the Configure tab of the Schedule Manager screen: Step 2. Select the group in the Surveillance Groups panel. Step 3.
Schedule Manager Screen Configuring Surveillance Groups Deleting a Surveillance Group NOTE You cannot delete any predefined group, distributed with HP-UX HIDS. See “Predefined Surveillance Schedules and Groups” on page 81. To delete a surveillance group Step 1. Go to the Configure tab of the Schedule Manager screen: Step 2. Select the group in the Surveillance Groups panel. Step 3. Click the Delete button in the Surveillance Groups panel. This displays the Confirm Deletion dialog box.
Schedule Manager Screen Configuring Detection Templates Configuring Detection Templates Detection templates are the building blocks of surveillance groups. They contain one or more properties. A property is a parameter for a detection template. Refer to Appendix A, “Templates and Alerts,” on page 121 for more information about HP-UX HIDS detection templates. Each detection template is designed to identify a specific type of unauthorized system activity and has configurable parameters.
Schedule Manager Screen Configuring Detection Templates Perform these substeps. a. Edit the value in the text box. In general, the value cannot be null. b. Click OK to accept your change. Click Cancel to leave the value unchanged. Step 5. If the value is a list (zero or more values in brackets, e.g., [0, 1, 5, 11]), the Edit List dialog box is displayed (Figure 5-9). Figure 5-9 Edit List Dialog Perform one of the following substeps to add, modify, or delete a value. a. To add a new value 1.
Schedule Manager Screen Configuring Detection Templates 2. Click the Edit button. An Edit dialog box is displayed (Figure 5-11) with the current value. Figure 5-11Edit Dialog - Edit 3. Edit the value in the text box. In general, the value cannot be null. 4. Click OK to accept the new value. Click Cancel to leave the value unchanged. c. To delete a current value 1. Highlight one of the values in the Edit List display. If you highlight more than one, the first one is processed. 2. Click the Delete button.
Schedule Manager Screen Configuring Detection Templates Some Template Configuration Guidelines • NOTE 74 The “Race Condition Template” on page 141 imposes the highest overhead in terms of the load it places on correlator process. We recommend that you not include this template in your initial schedule. The race condition template checks, among other things, for the execution of setuid scripts, which are vulnerable to a race condition attack. In HP-UX 11i version 1.
Schedule Manager Screen Setting Surveillance Schedule Timetables Setting Surveillance Schedule Timetables Once you have defined a surveillance schedule with its complement of surveillance groups and detection templates, you need to specify the days and times that the groups will be active when the schedule is activated on an agent host. Use this procedure to establish and change the times a schedule runs.
Schedule Manager Screen Setting Surveillance Schedule Timetables Specifying When a Schedule Will Run To specify when a schedule will run Step 1. Select the Timetable tab of the Schedule Manager screen (Figure 5-12). Figure 5-12 Schedule Manager Screen - Timetable Tab Step 2. Highlight the schedule name in the Schedules panel. The groups that are part of the schedule are displayed in the Selected Groups panel of the Schedule tab. Step 3. In the Selected Groups panel, highlight one of the groups.
Schedule Manager Screen Setting Surveillance Schedule Timetables • Always On means the group will run 24 hours a day, seven days a week. If you select this option, the group will be displayed in all the boxes in the Schedule Summary panel and you are done setting the timetable for this group. This is the default. • Specified means you will choose the days and times the group will run. Continue with the next step. Step 6. In the Select Days panel, choose the days the group should run.
Schedule Manager Screen Setting Surveillance Schedule Timetables Saving a Surveillance Schedule See “Saving a Surveillance Schedule” on page 66.
Schedule Manager Screen Viewing Surveillance Schedule Details Viewing Surveillance Schedule Details You can view the source text of a surveillance schedule in the Details tab of the Schedule Manager screen. Viewing the Source of a Surveillance Schedule To view the source of a surveillance schedule Step 1. Go to the Details tab of the Schedule Manager screen (Figure 5-13). Figure 5-13 Schedule Manager Screen - Details Tab Step 2. In the Schedules panel, select a schedule.
Schedule Manager Screen Viewing Surveillance Schedule Details Clearing the Details Display To clear the display Step 1. Click on the Clear button. This just erases the text. The schedule is unaffected. Saving the Details Display You can save the displayed text as a text file. To save the displayed text Step 1. Do one of: • • • Click the Save button Choose File > Save Enter Ctrl-S The Save dialog box (Figure 5-14) is displayed. Figure 5-14 Save Dialog Step 2. Click OK to save, Cancel otherwise.
Schedule Manager Screen Predefined Surveillance Schedules and Groups Predefined Surveillance Schedules and Groups Table 5-1 lists the predefined surveillance schedules and surveillance groups that are supplied with the system and the detection templates that they use. The predefined surveillance schedules and groups, distributed with HP-UX HIDS, are read-only. They may be copied but not resaved or deleted. If you modify one, you can only save the changes under a new name.
Schedule Manager Screen Predefined Surveillance Schedules and Groups Table 5-1 Predefined Surveillance Schedules (Continued) Surveillance Schedules FileModificationsWeekdays Surveillance Groups FileModificationGroup Detection Templates Changes to Log File Template Creation of Setuid File Template Creation of World-Writable File Template Modification of Another User’s File Template Modification of Files/Directories Template FileModificationsWeekends FileModificationGroup Changes to Log File Template
6 Chapter 6 Host Manager Screen 83
Host Manager Screen Summary Summary This chapter tells you how to define the hosts to be monitored. The following topics are covered.
Host Manager Screen Managing Hosts Managing Hosts The Host Manager screen enables you to specify the host systems that you plan to monitor with HP-UX HIDS. The information on each configured host is listed on the Host Manager screen. This information includes the name of the host system, its IP address, the name of any optionally assigned tag, and whether it is being monitored. Monitored hosts are also displayed on the System Manager screen.
Host Manager Screen Managing Hosts Closing the Host Manager Screen On the Host Manager screen: Step 1. Enter any of: • • Choose the File > Close menu item Press Ctrl-C Step 2. If you have modified but not saved the current host list, the Host List Manager Modified dialog is displayed. Select Yes to save the current list in the current file. The default host list file is /etc/opt/ids/gui/config/sentinal.hosts. Select No and the changes will not be saved.
Host Manager Screen Adding New Hosts Adding New Hosts You can add agent hosts in the following ways: CAUTION • By hand: “Adding a New Host Manually” on page 87 • From /etc/hosts: “Adding New Hosts from /etc/hosts” on page 89 • From a file: “Adding New Hosts from a File” on page 90 • By creating X.509 certificates and restarting the System Manager: “Setting Up the HP-UX HIDS Secure Communications” on page 20 HP-UX HIDS uses the IP address to identify and communicate with the agent host.
Host Manager Screen Adding New Hosts NOTE A host name must start with a letter and contain only letters, digits, periods, underscores, and hyphens. Upper- and lowercase letters are equivalent. For example, xy3-z5 and xy3-z5.a32c.edu. An IP address consists of four decimal fields, each in the range 0 to 255, separated by periods (.). For example, 1.2.3.4. a. Host Name Enter the host name of the agent host in the Host Name field.
Host Manager Screen Adding New Hosts The Set Host Name button becomes active (Figure 6-4). Figure 6-4 Add Host Dialog: Set Host Name Click the Set Host Name button to display the full name of the host in the Host Name field. If the host name cannot be determined, the Add Host Error box is displayed with the message, “Unknown Host Name - unable to resolve IP Address”; click OK and redo this step. A host name is required. NOTE The IP address is the best method for adding a multihomed agent host.
Host Manager Screen Adding New Hosts Step 2. The entries in the /etc/hosts file on the administration system are added to the hosts list according to “Rules for Host Lists Files” on page 90; the Monitored boxes are unchecked. Adding New Hosts from a File To add new hosts from a file On the Host Manager screen: Step 1. Do one of: • • Choose the Edit > Add Host > Load Hosts List File menu item Press Shift-F7 Step 2. The Open dialog box is displayed (Figure 6-5).
Host Manager Screen Modifying a Host Modifying a Host To modify a host entry On the Host Manager screen: Step 1. Bring up the Edit Host Entry dialog (Figure 6-6) with one of: • • • Double-left-click an entry in the host list Select an entry in the host list and choose the Edit > Edit Host menu item Select an entry in the host list and press Ctrl-H (If more than one entry is selected, the first in the list is chosen.) Figure 6-6 Edit Host Entry Dialog Step 2.
Host Manager Screen Deleting Hosts Deleting Hosts To delete a host entry On the Host Manager screen: Step 1. Select one or more entries in the host list. Step 2. Delete the entries with any of: • • • • Choose the Edit > Delete Host menu item. Click the Delete button. Right-click > menu > Delete Host. Press Delete. The entries are deleted from the Host Manager screen. If they were monitored, they are also deleted from the System Manager screen.
Host Manager Screen Enabling and Disabling Hosts Enabling and Disabling Hosts To enable or disable an agent host for monitoring On the Host Manager screen: Step 1. Click the box in the Monitored column for the entry for the host you want to enable or disable for monitoring. The box displays a check mark if the host is enabled. It is blank if the host is disabled. When an entry is enabled, it is also displayed on the System Manager screen and automatically polled.
Host Manager Screen Managing Tags Managing Tags On the Host Manager screen: Step 1. Bring up the Edit Host Tag List dialog (Figure 6-7) with any of: • • Figure 6-7 Choose the Edit > Host Tag List menu item Press Crtl-T Edit Host Tag List Dialog Step 2. Add, modify or delete tags a. To add a tag 1. Click on Add to display the Add Host Tag dialog (Figure 6-8). Figure 6-8 Add Host Tag Dialog 2. Enter a tag name in the input field. The name can contain any printing characters and be of any length.
Host Manager Screen Managing Tags b. To edit a tag 1. Highlight the tag in the Tag List and click on Edit or double-click the tag in the Tag list to display the Edit dialog (Figure 6-9). If you highlight more that one tag, you will get an error message. Figure 6-9 Edit Dialog 2. Modify the tag name in the edit field. The name can contain any printing characters and be of any length. Spaces are significant. Tag names are case-sensitive. Duplicate tags are discarded when you exit (Step 3). 3.
Host Manager Screen Maintaining Host Files Maintaining Host Files You can save and use multiple host files. This might be useful for managing different sets of hosts from the same administration system. The default host file is /etc/opt/ids/gui/config/sentinal.hosts, which is loaded automatically when the System Manager starts. Saving the Host List in the Current File On the Host Manager screen: Step 1. Do any of: • • Choose the File > Save menu item Press Ctrl-S Step 2.
Host Manager Screen Maintaining Host Files Using an Alternate Host List File You can load a previously saved host file. NOTE A new host file cannot be opened if there are any surveillance schedules running on any of the hosts currently displayed; each surveillance schedule must first be stopped using the System Manager screen. See “Stopping Schedules on Agent Hosts” on page 51. On the Host Manager screen: Step 1.
Host Manager Screen Maintaining Host Files 98 Chapter 6
7 Chapter 7 Network Node Screen 99
Network Node Screen Summary Summary This chapter describes the Network Node screen, which displays alerts and errors for a particular agent host.
Network Node Screen Network Node Screen Network Node Screen The Network Node screen contains lists of alerts and errors that have been detected by the related agent. Click the Alerts or Errors tab to see the lists and details panels. Alerts are recorded on the agent host system in the file /var/opt/ids/alert.log. Errors are recorded on the agent host system in the file /var/opt/ids/error.log.
Network Node Screen The Alerts Tab The Alerts Tab The Alerts tab (Figure 7-1) displays the alerts that were detected by the surveillance schedule on one of your agent host systems. On the Network Node screen, click on the Alerts tab (Figure 7-1). Figure 7-1 Network Node Alerts Tab Each alert entry displays the alert severity, the attacker, the attack type, the date and time the alert was generated, as well as other data.
Network Node Screen The Alerts Tab The operations you can perform on the Alert tab are described in “General Operations” on page 105. HP-UX HIDS Alerts: What They Mean, What to Do Your response to each possible alert will depend on individual circumstances. You should develop policies and procedures for handling intrusions. The templates that are used to generate alerts are described in Appendix A, “Templates and Alerts,” on page 121.
Network Node Screen The Errors Tab The Errors Tab The Errors tab (Figure 7-2) displays the errors that were reported by the HP-UX HIDS agent program on one of your agent host systems while the System Manager was running. Errors are not resynchronized. On the Network Node screen, click on the Errors tab (Figure 7-2). Figure 7-2 Network Node Error Tab Each error entry displays the date and time of the error, the error message, and other data.
Network Node Screen General Operations General Operations The Alerts and Errors tabs use the same operations to manage their contents, with a few minor differences in labels. Sorting Entries By default, alerts and errors are listed in ascending Date/Time order. However, you can resort the list by any attribute in either ascending or descending order by: • Clicking on the appropriate column header to toggle between ascending and descending order. • Selecting an item from the Sort menu.
Network Node Screen General Operations • Shift-left-click to add or remove contiguous entries, depending on the state of the anchor entry. The anchor entry is unchanged. If the anchor entry is selected, all intervening entries are selected. If the anchor entry is not selected (e.g., was deselected by Ctrl-left-click), all intervening entries are removed. If the previous operation was Shift-left-click, the effect of the previous operation is negated.
Network Node Screen General Operations Searching Again To search again On the Network Node screen, Step 1. Repeat the last Find with any of: • • Choose the Search > Find Again menu item Press F3 The search continues in the next entry. If the string is found, the entry is highlighted and other selections are cleared. If the string is not found, you get an error message (click OK to go on). If there is no previous search string, the process is as in “Starting a Search” on page 106.
Network Node Screen General Operations ❏ NOTE 108 • Choose the Actions > Mark Selected Alerts/Errors As Seen menu item (selected entries on current tab are marked as seen) • Right-click and choose the Mark All Alerts/Errors as Seen menu item (all entries on current tab are marked as seen) • Right-click and chose the Mark Selected Alerts/Errors as Seen menu item (selected entries on current tab are marked as seen) Unseen.
Network Node Screen General Operations Saving a Log File Set A log file set is the combination of the alert log file and the error log file. Alerts and errors are saved at the same time. Alerts go into a file named filesetname_alerts.log. Errors go into a file named filesetname_errors.log. filesetname is the name that you assign. NOTE The Network Node screen’s title bar indicates how you obtained the data on the screen.
Network Node Screen General Operations • Figure 7-4 Press Ctrl-A Save Dialog Box Step 2. Either select one of the existing file names (it doesn’t matter whether you choose the alert or error version) by clicking on its name or enter a log file set name in the File Name field. A log file set name is a file name without the trailing _alert.log or _error.log. For example, 1. To create a new file set named myhost1.backup, enter myhost1.backup in the File Name field. 2.
Network Node Screen General Operations Opening a Log File Set You can open any log file set that has been saved on the system, including the master log files for your agent hosts. Step 1. From the Network Node screen, display the Open dialog box (Figure 7-5) with one of: • • Figure 7-5 Choose the File > Open menu item Press Ctrl-O Open Dialog Box Step 2.
Network Node Screen General Operations 112 Chapter 7
8 Chapter 8 Preferences Screen 113
Preferences Screen Summary Summary This chapter describes operational and display settings that you can set on the Preferences screen.
Preferences Screen Preferences Screen Preferences Screen The Preferences screen allows you to specify several system operational preferences and to choose which columns will appear on the alerts and errors lists of the Network Node screen, and the Monitored Hosts list of the System Manager screen.
Preferences Screen Preferences Screen General Preferences On the Preferences screen, click on the General Preferences tab. The General Preferences tab provides four options, shown in Figure 8-1 and described in Table 8-1. Click on an option box to select or deselect it. Type a numeric value in the edit box to change it.
Preferences Screen Preferences Screen Table 8-1 General Preferences Tab (Continued) Option Automatic Startup Alert Synchronization Default On Description When this option is turned on (checked), the System Manager will automatically resynchronize the alerts with running agents whenever the System Manager is restarted. This is equivalent to choosing Actions > Resync from the System Manager screen. This option is not available if Automatic Startup Status Poll is not checked.
Preferences Screen Preferences Screen Browser Preferences The Browser Preferences tab allows you to select the list columns that will be displayed on the System Manager screen and the Alerts and Errors tabs of the Network Node screen. Check the boxes to display the columns. Alert Events Preferences On the Preferences screen, click on the Browser Preferences tab and the Alert Events subtab. The Alert Events subtab lists the columns that can be displayed on the Alerts tab of the Network Node screen.
Preferences Screen Preferences Screen Table 8-2 Alert Events Subtab (Continued) Column Name Default Description Target ID * No ID of subsystem being attacked, e.g., 02:FILESYSTEM Code * No Code number of the detection template Version * No Version of the detection template UTC Time * No Time of the alert in Coordinated Universal Time Details * No Details of the alert Error Events Preferences On the Preferences screen, click on the Browser Preferences tab and the Error Events subtab.
Preferences Screen Preferences Screen System Manager Preferences On the Preferences screen, click on the Browser Preferences tab and the System Manager subtab. The System Manager subtab lists the columns that can be displayed on the System Manager screen. Check the boxes to display the columns. The column names are shown in Figure 8-4 and described in Table 8-4. Click on an option box to select or deselect it.
A Appendix A Templates and Alerts 121
Templates and Alerts Summary Summary This appendix describes the detection templates that are used to make up surveillance groups. This appendix also describes the alerts that are passed to the System Manager and to response programs by the HP-UX HIDS agent.
Templates and Alerts Alert Summary Alert Summary For each alert, Table A-1 lists the attack detected, alert severity and the detection template that generates the alert.
Templates and Alerts Alert Summary Table A-1 Detection Templates (Continued) Attack Detected Alert Alert Severity Detection Template A file with world writable permission was created by a privileged user, or the world writable bit was set on an existing file owned by a privileged user, or the owner of a world writable file was changed to a privileged user from a non-privileged user, or a world writable file owned by a privileged user was renamed from a location that is not being monitored to a locatio
Templates and Alerts Alert Summary a. Higher severity if specified by an ip_filter property. See “Login/Logout Template” on page 167 for more details on the ip_filter property.
Templates and Alerts UNIX Regular Expressions UNIX Regular Expressions UNIX regular expressions are supported to specify template directory and file properties. Template properties that specify pathnames (e.g.: pathnames_to_watch, pathnames_to_not_watch, pathnames_X, programs_X, etc.) are interpreted as UNIX regular expressions. See the regexp(5) man page for a description of regular expressions and pattern matching notations. To match a specific file, you must use the anchor characters ^ and $ (e.g.
Templates and Alerts UNIX Regular Expressions When you attemp to match the pipe (|), ampersand (&) or the comma (,) character in a regular expression, you must escape those special characters using a backslash (\) character because these three characters also have special meaning (i.e., are used as delimiters) by the parser of the template property syntax.
Templates and Alerts Limitations Limitations This section describes the general limitations of all the templates. Template specific limitations are included in the respective template sections: • None of the templates perform alert aggregation or filter out identical alerts that repeat over a given time period. • None of the kernel file monitoring templates can filter alerts based on whether a file is local or remote (NFS).
Templates and Alerts Template Property Types Template Property Types A template property has one of the following types: • Type I: Pathnames to [Not] Monitor • Type II: Pathnames/Programs Pairs • Type III: UIDs • Type IV: UID Pairs • Type V: Network Triplets • Type VI: Time Strings • Type VII: Flags • Type VIII: Scalars See “Template Configuration Syntax” on page 178 for a description of the syntax used to specify values of the various template types.
Templates and Alerts Template Property Types Type II: Pathnames/Programs Pairs These properties allow users to specify combinations of file pathnames and program pathnames, such that alerts normally generated for files (i.e., regular files, directories, etc.) specified in the "Pathnames to be monitored" property are suppressed when the file(s) are modified by selected program(s). Note that pathnames and programs are specified as regular expressions just as pathnames_to_[not]_watch are specified.
Templates and Alerts Template Property Types pathnames_1 | f1 & f2 programs_1 | p1 pathnames_2 | programs_2 | f1 & f2 p2 pathnames_3 | f1 & f2 programs_3 | p3 • However, it is not equal to the following: 4. pathnames_1 | f1 programs_1 | p1 & p2 & p3 pathnames_2 | f2 programs_2 | p1 & p3 The rationale here is to provide a finer granularity for users to specify their file monitoring dependencies.
Templates and Alerts Template Property Types if the file’s owner’s UID is 16, and the effective UID of the modifying process is 2 then no alarm is triggered. Type V: Network Triplets The values for this property type consist of network information triplets. The members of a triplet are as follows: • IP address: An IP address. For IPv4 the address must be in standard dot notation; for IPv6, in colon notation.
Templates and Alerts Template Property Types NOTE The time unit value cannot be specified in the Schedule Manager window. Type VII: Flags The value of this property type is an integer that represents an enable/disable flag. A value of 1 means enabled and a value of 0 means disabled.
Templates and Alerts Buffer Overflow Template Buffer Overflow Template The vulnerability addressed by this template How this template addresses the vulnerability All buffer overflow attacks (e.g., stack smashing, return-into-libc, execute on heap) attempt to overflow a buffer, where the buffer can be a local variable residing on the stack or a dynamically allocated buffer residing on the heap or a global variable residing in the process data segment.
Templates and Alerts Buffer Overflow Template How this template is configured This template supports the following properties: Table A-2 Template Properties Name Type Default Value priv_uid_list III 0 | 1 | 2 | 3 | 4 | 5 | 9 | 11 unusual_arg_len VIII 500 pathnames_to_not_watch I • Property: priv_uid_list A list of system-level user IDs. This list should contain those users that are considered to have elevated access to the system.
Templates and Alerts Buffer Overflow Template Table A-3 Response Program Argument Execute on Stack Alert Properties (Continued) Alert Field Alert Field Type argv[3] Severity Integer 1 Critical Severity argv[4] UTC Time Integer UTC time in number of seconds since epoch when execute-on-stack was detected.
Templates and Alerts Buffer Overflow Template Unusual Argument Length This template generates and forwards the following alert to a response program setuid when a privileged program was invoked with an argument equal to or greater than the unusual_arg_len property value: Table A-4 Response Program Argument Unusual Argument Length Alert Properties Alert Field Alert Field Type Alert Value/Format Description argv[1] Template code Integer 0 Unique code assigned to template argv[2] Version Integer
Templates and Alerts Buffer Overflow Template Table A-4 Unusual Argument Length Alert Properties (Continued) Response Program Argument Alert Field Type Alert Field Alert Value/Format Description argv[8] Details String “Potential buffer overflow attack by process with pid and ppid when executing(type=, inode=, device=
Templates and Alerts Buffer Overflow Template Table A-5 Response Program Argument Argument with Non-printable Character Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[3] Severity Integer 1 Critical severity argv[4] UTC Time Integer UTC time in number of seconds since epoch when a privileged setuid program was run with an argument that contains a non-printable character argv[5] Attacker String “uid=, gid=, pid=, ppid=
Templates and Alerts Buffer Overflow Template Table A-5 Response Program Argument argv[9] Argument with Non-printable Character Alert Properties (Continued) Alert Field Local Time Alert Field Type Integer Alert Value/Format Description Local time in number of seconds since epoch when a privileged setuid program was run with an argument that contains a non-printable character.
Templates and Alerts Race Condition Template Race Condition Template The vulnerability addressed by this template There is a class of attacks that utilize the time between a program’s check of a file to the time that program utilizes that file. The race condition is sometimes referred to as the Time-To-Check-To-Time-To-Use (TOCTTOU) vulnerability. For instance, a mail delivery program might check to see if a file exists before it changes ownership of the file to the intended recipient.
Templates and Alerts Race Condition Template Properties • Property: priv_uid_list A list of system-level user IDs. This list should contain those users that are considered to have elevated access to the system. Removing any of these means that an attack against one of those users will not be detected by this template. • Property: pathnames_to_not_watch Pathnames of programs that can be safely ignored.
Templates and Alerts Race Condition Template Table A-7 Response Program Argument File Reference Modification Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[5] Attacker String “uid=, gid=, pid=, ppid=” The user ID, group ID, process ID, and parent process ID of the process, if known, that modified a privileged program’s file reference. All values set to -1 if attacker is not known.
Templates and Alerts Race Condition Template Privileged Setuid Script Executed This template generates and forwards the following alert to a response program when a privileged setuid script is executed (either directly or through a symbolic link) and the kernel has honored the setuid bit: Table A-8 Response Program Argument Setuid Script Executed Alert Properties Alert Field Alert Field Type argv[1] Template code Integer 1 Unique code assigned to template argv[2] Version Integer 2 Version of t
Templates and Alerts Race Condition Template Table A-8 Response Program Argument Setuid Script Executed Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String “User with running as process with pid and with parent pid is executing the privileged setuid script (type=, inode=, device=
Templates and Alerts Modification of Files/Directories Template Modification of Files/Directories Template The vulnerability addressed by this template Many of the files on an HP-UX system should not be modified during normal operation. This includes the system supplied binaries and libraries and the kernel. Additionally, software packages are generally not installed or modified during normal system operation.
Templates and Alerts Modification of Files/Directories Template Table A-9 Template Properties (Continued) Name Properties Type Default Value pathnames_to_not_watch I ^/etc/ptmp$ | ^/etc/\.pwd\.lock$ | ^/etc/utmp$ | ^/etc/utmpx$ | ^/etc/rc\.log$ ^/etc/opt/resmon/pipe/ pathnames_0 II ^/etc/opt/resmon/ | ^/etc/group˙tmp.*$ & ^/etc/passwd˙tmp.*$ & ^/etc/group$ | ^/etc/group ˙tmp.
Templates and Alerts Modification of Files/Directories Template These properties can be used to filter out alerts generated when a particular program modifies a particular file. See “Type II: Pathnames/Programs Pairs” on page 130 for a detailed description of these property pairs.
Templates and Alerts Modification of Files/Directories Template File Being Modified This template generates and forwards the following alert to a response program when a file is modified: Table A-10 Response Program Argument File Being Modified Alert Properties Alert Field Alert Field Type Alert Value/Format Description argv[1] Template code Integer 2 Unique code assigned to template argv[2] Version Integer 2 Version of the template argv[3] Severity Integer 2 if file is truncated, potent
Templates and Alerts Modification of Files/Directories Template Table A-10 Response Program Argument argv[8] File Being Modified Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format “User with uid (type=, inode=, device=) when executing (type=,inode=,devi ce=), invoked as follows: ...
Templates and Alerts Modification of Files/Directories Template NOTE Refer to Table B-1 in Appendix B for the definition of argv[10] through argv[32] that can be used to access specific alert information (ie., pid, ppid) without having to parse the string alert fields above. Limitations • The template cannot distinguish between a new file being created and an existing file being opened read-only when open(2) is invoked with the O_CREAT and O_RDONLY flags.
Templates and Alerts Changes to Log File Template Changes to Log File Template The vulnerability addressed by this template There are certain HP-UX system files that are used to store logs of system activities, such as login attempts, commands executed, and miscellaneous system log messages. The files that store this system information should only be appended to, not overwritten. An attacker will often either modify or delete these files to remove information about their intrusion.
Templates and Alerts Changes to Log File Template These properties can be used to filter out alerts generated when a particular program modifies a particular file other than appending . See “Type II: Pathnames/Programs Pairs” on page 130 for a detailed description of these property pairs.
Templates and Alerts Changes to Log File Template Table A-12 Response Program Argument argv[8] Append-Only File Being Modified Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format “User with uid (type=,inode=, device) when executing (type=,inode=,device=), invoked as follows: ...
Templates and Alerts Creation of Setuid File Template Creation of Setuid File Template The vulnerability addressed by this template A setuid file is one that, if executed, will operate with the permissions of the owner of the file, not of the person executing the file. One of the frequent back doors that an intruder will install on a system is the creation of a copy of the /bin/sh program that is setuid root. Such a file allows any command to be executed as the superuser.
Templates and Alerts Creation of Setuid File Template Setuid File Created This template generates and forwards the following alerts to a response program when a setuid file owned by a privileged user is created: Table A-14 Response Program Argument Setuid File Created Alert Properties Alert Field Alert Field Type Alert Value/Format Description argv[1] Template code Integer 4 Unique code assigned to template argv[2] Version Integer 2 Version of the template argv[3] Severity Integer 1 Sev
Templates and Alerts Creation of Setuid File Template Table A-14 Response Program Argument argv[8] Setuid File Created Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format “User with uid the file (type=,inode=, device>(type=,inode=,device=), invoked as follows: ...
Templates and Alerts Creation of World-Writable File Template Creation of World-Writable File Template The vulnerability addressed by this template A world writable file is one that any user of the system can modify. In many cases, the files owned by the system users (such as root, bin, sys, adm) are used to control the configuration and operation of the system. Allowing regular users to modify these files exposes the system to attacks.
Templates and Alerts Creation of World-Writable File Template Table A-15 Template Properties (Continued) Name Properties Type Default Value programs_1 II ^/usr/lbin/rlogind$ | ^/usr/lbin/swagent$ & ^/usr/sbin/swagentd & ^/usr/sam/lb in/samd$ & ^/opt/perf/bin/ & ^/opt/OV/bin/ | ^/opt/openssl/prngd/prngd$ | ^/usr/sbin/getty$ | ^/usr/sam/lbin/samd$ | ^/opt/VRTSob/bin/vxsvc$ | ^/opt/perf/bin/ | ^/opt/OV/httpd/bin/httpd$ | ^/opt/OV/bin/ | ^/usr/sbin/useradd$ & ^/usr/sbin/userdel$ & ^/usr/sbin/usermod$ |
Templates and Alerts Creation of World-Writable File Template Table A-16 Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[2] Version Integer 2 Version of the template argv[3] Severity Integer 3 Severity argv[4] UTC Time Integer UTC time in number of seconds since epoch when a world writable file is created argv[5] Attacker String “uid=, gid=, pid=, ppid=” The user ID, group ID, process ID, and parent process ID of
Templates and Alerts Creation of World-Writable File Template Table A-16 Response Program Argument argv[8] World-writable File Created Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format “User with uid (type=,inode=, device) when executing (type=,inode=,d evice=), invoked as follows: ...
Templates and Alerts Creation of World-Writable File Template Limitations 162 • The template cannot distinguish between whether a file is created or truncated when creat(2) is invoked.
Templates and Alerts Modification of Another User’s File Template Modification of Another User’s File Template The vulnerability addressed by this template In many environments, users are expected to be working with their own files. An attacker attempting to compromise the security of a system might cause a system program to modify various files owned by other system users. Because many daemons run as a particular user, this template may generate an alert when a compromised daemon causes such an attack.
Templates and Alerts Modification of Another User’s File Template Properties These fields need to be configured based on the individual machine configuration and usage. • Property: pathnames_to_not_watch Pathnames of files that can be safely ignored if they are modified by non-owners. • Property: uids_to_ignore User ids in this list will allow those users to modify files they do not own without generating an alert. It is recommended that this property is left blank unless specifically needed.
Templates and Alerts Modification of Another User’s File Template Table A-18 Response Program Argument Non-owned File Being Modified Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[4] UTC Time Integer UTC time in number of seconds since epoch when a file is modified by a non-owner argv[5] Attacker String “uid=, gid=, pid=, ppid=” The user ID, group ID, process ID, and parent process ID of the process that modified the f
Templates and Alerts Modification of Another User’s File Template Table A-18 Response Program Argument argv[8] Non-owned File Being Modified Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format “User with uid (type=,inode=, device(type=,inode= ,device=), invoked as follows: ...
Templates and Alerts Login/Logout Template Login/Logout Template The vulnerability addressed by this template There are certain privileged user accounts (such as adm, bin, sys) that are intended to be used by system programs only for maintenance purposes.
Templates and Alerts Login/Logout Template NOTE uids_to_monitor takes precedence over uids_to_ignore when both the lists are set. If uids_to_monitor is not empty, values in uids_to_ignore are ignored. • Property: uids_to_ignore User ids in this list will allow those users to login, logout and su without generating an alert. • Property: uids_to_monitor Alerts are generated when the user ids in this list login, logout or su if the corresponding monitor_*_flag is set to 1.
Templates and Alerts Login/Logout Template Login/Logout This template generates and forwards the following alert to a response program when an a successful login or logout occurs: Table A-20 Response Program Argument Login/Logout Alert Properties Alert Field Alert Field Type Alert Value/Format Description argv[1] Template code Integer 7 Unique code assigned to template argv[2] Version Integer 2 Version of the template argv[3] Severity Integer 2 for user root or ids and 1 if specified by
Templates and Alerts Login/Logout Template Table A-20 Response Program Argument Login/Logout Alert Properties (Continued) Alert Field Type Alert Field Alert Value/Format Description argv[10] Flag Integer 1 Indicates a login/logout alert versus an su alert. argv[11] User String Name of user that logged in or logged out. argv[12] Device String Name of pty device associated with login session.
Templates and Alerts Login/Logout Template Table A-21 Successful su Detected Alert Properties (Continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[5] n/a n/a This field is empty argv[6] n/a n/a This field is empty argv[7] Summary String "Successful su session" Alert summary argv[8] Details String “User switched to user on tty ” Detailed alert description argv[9] Local Time Integ
Templates and Alerts Login/Logout Template 172 • Because the login name (ut_user in a utmp structure) is not available for a logout event, the template retrieves the login name from the wtmp[s] log. If the log has been cleared, the template will create a logout alert that does not contain the user name, only the device on which the logout occurred. • The template will generate alerts for ftp logins without the remote host IP address on 11i version 1.0 unless the wu-ftp 2.6.1 patch is installed.
Templates and Alerts Repeated Failed Logins Template Repeated Failed Logins Template The vulnerability addressed by this template An attacker can gain access to a system by repeatedly attempting to guess the password of an account. How this template addresses the vulnerability The Failed Login template monitors for repeated failed attempts to login to the system. Specifically, this template monitors btmp on 11i and btmps on 11i v2 for a given number of failed login attempts within a specified time span.
Templates and Alerts Repeated Failed Logins Template Failed Login Attempts This template generates and forwards the following alerts to a response program when repeated failed logins are detected.
Templates and Alerts Repeated Failed Logins Template Table A-23 Response Program Argument Failed Login Attempts Alert Properties (Continued) (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[12] Device String Name of pty device associated with failed login attempt. argv[13] Hostname String Name of remote host from which login was attempted. argv[14] IP Address String for IPv4 addresses "A:B:C:D:...
Templates and Alerts Repeated Failed su Commands Template Repeated Failed su Commands Template The vulnerability addressed by this template The system su(1) command allows one user to assume the identity of another user by entering that user’s password. An attacker can attempt to gain root privileges by running the su command and guessing the root password. How this template addresses the vulnerability The template monitors for repeated failed attempts to change user IDs.
Templates and Alerts Repeated Failed su Commands Template Table A-25 Response Program Argument Repeated Failed Su Attempts Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[4] UTC Time Integer UTC time in number of seconds since epoch when more than number of failed su attempts are detected for a particular user.
Templates and Alerts Template Configuration Syntax Template Configuration Syntax This section describes the syntax used to specify template properties in the ascii version of a schedule (i.e., /var/opt/ids/schedule). The syntax for specifying template property values is also used when entering values in the Schedule Manager window.
Templates and Alerts Template Configuration Syntax • If a filename contains a pipe (|), ampersand (&) or comma (,) character, then those special characters must be escaped using a backslash (/) character because these three characters are used as delimiters by the template property syntax. See “UNIX Regular Expressions” on page 126 for an example. • property type is the name of a template property.
Templates and Alerts Template Configuration Syntax 180 Appendix A
B Appendix B Automated Response 181
Automated Response Summary Summary This appendix describes how you can use response programs to process alerts automatically according to your installation’s policies. It includes a sample C program, several sample response scripts, and information about a prepackaged response program that communicates with HP OpenView VantagePoint Operations.
Automated Response Introduction Introduction The automated alert response feature of HP-UX HIDS is a powerful tool. Response programs allow you to automatically capture alerts as they are generated by the HP-UX HIDS agent and to use your own tools to process them and make decisions, such as alerting a system administrator about a potential intrusion.
Automated Response Introduction If business continuity is important then the machine must be restored to a known safe state. If critical files have been modified then they can be restored from trusted read-only media. See examples in “Restoration of a known “good” state” on page 202.
Automated Response How Automated Response Works in HP-UX HIDS How Automated Response Works in HP-UX HIDS The Alert Process When the agent generates an alert, 1. The agent stores the alert in a local log file whose pathname is defined by the IDS_ALERTFILE configuration variable (default is /var/opt/ids/alert.log). See Chapter , “The Agent Configuration File,” on page 215 2. If it is communicating with the System Manager, the agent sends the alert to the System Manager. 3.
Automated Response How Automated Response Works in HP-UX HIDS 2. Your program is detached from a controlling terminal and runs as a background process. Standard output and standard error are both redirected to the error log file, as defined by the IDS_ERRORFILE configuration variable (the default is /var/opt/ids/error.log.) 3. If you need to transmit your alert information to another system, you may need to set up your own secure communication process. 4.
Automated Response How Automated Response Works in HP-UX HIDS Table B-1 Response Program Argument Additional Arguments Passed to Response Programs (Continued) Alert Field Alert Field Type Alert Value/For mat Description argv[20] Target File Owner Integer Owner of file (uid) under attack argv[21] Target File Group Integer Group of file (gid) under attack. argv[22] Target File Inode Integer Inode number of file under attack.
Automated Response How Automated Response Works in HP-UX HIDS Table B-2 Response Program Argument Additional Arguments Passed to Response Programs for Race Condition Template Alerts Alert Field Alert Value/For mat Alert Data Type Description argv[33] Attacked Program Pathname String Full pathname of program under attack argv[34] Attacked Program File Type Integer File type of program under attack. Corresponds to an enum vtype value defined in vnode.
Automated Response How Automated Response Works in HP-UX HIDS Table B-3 Environment Variables Set for Response Programs (Continued) Name Appendix B Value Description LD_PRELOAD Library path PATH usr/bin:/sbin:/usr/sbin Program path SHELL /usr/bin/sh Shell path name TERM unknown Terminal type 189
Automated Response Programming Guidelines Programming Guidelines Writing Perl vs. Shell Response Scripts Perl itself is not privileged, but, when a Perl script is run by a privileged user (as it often is), care must be taken to make sure that the script is secure. It is far easier to write an insecure script in Perl compared to a shell (POSIX, Korn, C, etc.).
Automated Response Programming Guidelines This program should only run with a privileged effective uid when performing an operation that requires privilege and should run with the nonprivileged ids uid as the effective uid at all other times, a method called “privilege bracketing”. See the setresuid (2) manpage for how to toggle the effective uid.
Automated Response Programming Guidelines then # and if the target of the attack is the password file if [ ${17} = “/etc/passwd” ]; then # obtain the process id from the alert pid=${11} echo “Critical intrusion: halting process ${pid} running ${24} that m odified /etc/passwd” | /usr/bin/mailx -s “$7” ${RECIPIENT} # Invoke setuid-root program to kill process instead # of using a setuid-root script which is susceptible to # race condition attacks.
Automated Response Programming Guidelines int pid; /* Turn off root privilege but save euid */ if( setresuid(-1, getuid(), geteuid()) == -1) { perror(“setresuid”); exit(1); } /* Determine if a file modification alert */ if (atoi(argv[1]) == 2) { /* Determine if the target of the attack is /etc/passwd */ if (strcmp(argv[17],”/etc/passwd”) == 0) { /* Obtain process id */ pid = atoi(argv[11]); if (pid < 0) { fprintf(stderr,”Unknown process modified /etc/passwd\n”,pid); exit(1) ; } fprintf(stderr,”Process %
Automated Response Programming Guidelines A directory with mode 500 and owned by ids:ids. /opt/ids/response/misc/scriptC.sh A non-setuid script with mode 500 and owned by ids:ids NOTE You must make sure you do not create a privC program to allow the execution of any executable with euid root! The path names of the scripts must be hardcoded in privC.c. Code for privC program #include #include #include
Automated Response Sample Response Programs Sample Response Programs The following sections contain examples of C and shell script response programs. Sample C Language Program Source Code This is sample C language source code for a response program. It is distributed in /opt/ids/share/examples/ids_alertResponse.c. Modify the source code below to take appropriate action in response to intrusions. This source code can be compiled with your standard C compiler.
Automated Response Sample Response Programs Forwarding Information Sending an E-mail HP-UX HIDS logs alerts to a file on the local system and sends the alert information to the HP-UX HIDS System Manager. Alert information can also be sent via e-mail, as demonstrated in this script.
Automated Response Sample Response Programs Logging to a central syslog server While the HP-UX HIDS System Manager provides a centralized location for alerts, you may also want to log alerts to a syslog server. This short script shows how this can be done.
Automated Response Sample Response Programs Halting any further attacks Disabling a user's account If a particular user account is generating many alerts, it may be necessary to disable further logins on that account. This script shows how to achieve that. IMPORTANT This script requires privilege and should not be installed as a setuid privileged script. This script is for illustration purposes only.
Automated Response Sample Response Programs Disable remote networking If you have determined that an intrusion is originating from a remote location, this script will disable networking on the system. IMPORTANT This script requires privilege and should not be installed as a setuid privileged script. This script is for illustration purposes only. Please refer to “Writing Privileged Response Programs” on page 190 for help on how to safely write a privileged response program.
Automated Response Sample Response Programs Preservation of evidence NOTE Consult your local legal counsel to determine what steps must be taken to preserve evidence for use in court. The example scripts presented below do not meet the legal requirements for preservation of evidence. Putting a process to sleep It may be necessary to preserve the evidence of an intrusion for later analysis. In this example, a process which has caused an alert will be stopped.
Automated Response Sample Response Programs Snapshot of critical system state Extending the previous example, this script will take a snapshot of critical system state information that can be used for later analysis: • currently executing process list • who is logged into the system • a record of login/logout attempts • a list of active network connections #!/usr/bin/sh # # Sample HP-UX HIDS alert response script # # Take a snapshot of the important system state information when # the intrusion occu
Automated Response Sample Response Programs Restoration of a known “good” state Restoring “safe” copies of files Intruders will often replace key system configuration files during an attack. This sample script shows how to replace those files with clean versions that are mounted on a CDROM drive. We assume that the CDROM is mounted on /cdrom. IMPORTANT This script requires privilege and should not be installed as a setuid privileged script. This script is for illustration purposes only.
Automated Response HP OpenView Operations SMART Plug-In HP OpenView Operations SMART Plug-In For customers of HP OpenView Operations (OVO), a SMART Plug-In — OVO HPUX_HIDS-SPI — is available. By relaying messages from the HP-UX HIDS agent to the OVO message interceptor residing on the same host, HP-UX HIDS gives you the ability to manage HP-UX HIDS alerts directly from the OpenView management server.
Automated Response HP OpenView Operations SMART Plug-In 204 Appendix B
C Appendix C The idsagent Command 205
The idsagent Command Summary Summary This appendix covers: • 206 “The idsagent Command” on page 207.
The idsagent Command The idsagent Command The idsagent Command idsagent starts the HP-UX HIDS agent software on the agent system. See idsagent (1M). CAUTION It is strongly urged that you do not use the debugging options (-c, -d, -e, -l, and -p) except for testing and debugging. In normal operation, the debugging options will degrade the performance of the HP-UX HIDS agent software.
The idsagent Command The idsagent Command Error messages are written to the error log file, as defined in the configuration parameter IDS_ERRORFILE. The messages in the IDS_ERRORFILE file are also sent to the HP-UX HIDS System Manager, idsgui, if it is running on the administration system. If the -d and -l options are also specified, the error messages are also written to the debug log file. By default, IDS_ERROR_FILE is set to /var/opt/ids/error.log. See “Global Configuration” on page 206 and ids.cf (5).
D Appendix D The idsadmin Command 209
The idsadmin Command Summary Summary This appendix covers: • 210 “The idsadmin Command” on page 211.
The idsadmin Command The idsadmin Command The idsadmin Command idsadmin is an IDS command-line administration tool that provides a command prompt for you to send commands to an idsagent process. In addition, you can receive alerts and error messages from the agent. See idsadmin (1M). idsadmin assumes that the steps described in IDS_genAdminKeys (1M), IDS_genAgentCerts (1M), and IDS_importAgentKeys (1M) have been followed to correctly generate certificates for secure communication.
The idsadmin Command The idsadmin Command Specify the host name or IP address of the local host where idsadmin should accept connections from the agent. By default, the local host name is used. Use this option if the local host is multihomed (has two or more IP addresses). -l alert/error-filename Specify the path name of a file to store alert and error messages sent by the agent. If the file already exists, idsadmin appends to it.
E Appendix E The Agent Configuration File 213
The Agent Configuration File Summary Summary This appendix describes the user-configurable options that can be modified in the HP-UX HIDS agent configuration file, which is located in /etc/opt/ids/ids.cf.
The Agent Configuration File The Agent Configuration File The Agent Configuration File The HP-UX HIDS agent requires a configuration file named ids.cf, located in the directory /etc/opt/ids, which describes the location of various required binaries, and also stores some detection template specific data. See ids.cf (5). IDS users are strongly discouraged from editing the configuration file (except as explicitly directed), as it may cause failure of the IDS agent software.
The Agent Configuration File Global Configuration Global Configuration The Global section is bracketed by the [global]...[END] keywords. Only the parameters in Table E-1 may be edited. CAUTION Do not edit any other variables between [global] and its [END] tag. Table E-1 Global Configuration Variables Name Default Value IDS_ALERTFILE /var/opt/ids/alert.log IDS_ERRORFILE /var/opt/ids/error.
The Agent Configuration File Data Source Process Configuration Data Source Process Configuration There is a configuration entry for each data source process. Each entry is surrounded by [DSP] and [END] tags. The first entry, for the system log DSP which monitors various system log files, has no modifiable parameters. The second entry is for the kernel audit data DSP. CAUTION Do not edit any variables in the system log DSP section (between [DSP] NAME idskernDSP and its [END] tag).
The Agent Configuration File Data Source Process Configuration Controls how the kernel will act if idsagent cannot keep up with the rate of data generated.
The Agent Configuration File Remote Communication Configuration Remote Communication Configuration The remote communication configuration section lies between the [RemoteSA] and [END] tags. Only the parameters in Table E-3 may be edited. CAUTION Do not edit any other variables between [RemoteSA] and its [END] tag.
The Agent Configuration File Remote Communication Configuration administration system. An IP address is specified in dotted decimal notation. If the INTERFACE variable is set in idsgui, REMOTEHOST should have the same value.
F Appendix F Messages 221
Messages Summary Summary This appendix describes the error and other messages that may be produced by the Agent and System Manager programs.
Messages Agent Messages Agent Messages NOTE These messages are produced by the agent processes. If you see a message that is not described and you cannot resolve, contact HP support. idsagent: another idsagent (PID:pid) process is running Or a stale lockfile /var/opt/ids/idsagent.pid exists Remove it and attempt to restart - exiting ❏ Meaning: You attempted to start idsagent and it is already running. Or idsagent halted abnormally, leaving the lock file in place.
Messages Agent Messages ❏ Action: Verify that the file exists; that it is owned by user:group ids:ids; and that it is readable by user ids. idsagent: failed to initialize configuration module ❏ Meaning: An error occurred while parsing the ids.cf configuration file. The SSL certificates may not have been created properly, meaning that the REMOTEHOST parameter my not be valid in ids.cf. ❏ Action: Check accompanying error messages and correct the problem.
Messages Agent Messages ❏ Action: Contact HP support. idsagent: unable to setup SIGCHLD signal handler ❏ Meaning: An internal error has occurred in handling signals. ❏ Action: Contact HP support. idsagent: unable to setup SIGHUP signal handler ❏ Meaning: An internal error has occurred in handling signals. ❏ Action: Contact HP support. idsagent: unable to setup signal handler ❏ Meaning: An internal error has occurred in handling signals. ❏ Action: Contact HP support.
Messages Agent Messages ❏ Action: Verify that the log file is owned by user:group ids:ids; that the ids user has read and write permissions on the file; and that its parent directory has read and write permissions. idsagent: DSP type dsp required by template template not found ❏ Meaning: Template template requires a data source dsp that is not supported by this version of HP-UX HIDS. ❏ Action: Ensure that you have installed the latest version of the HP-UX HIDS product.
Messages Agent Messages idsagent: failed to initialize schedule ❏ Meaning: An internal error occurred in parsing and initializing the surveillance schedule. ❏ Action: Contact HP support. idsagent: failed to initialize schedule in crontab ❏ Meaning: idsagent was unable to create a set of crontab entries for user ids to manage schedule execution. ❏ Action: Verify that the user ids is present in the /var/adm/cron/cron.allow file.
Messages Agent Messages ❏ Meaning: The system does not have enough disk space to create the interprocess communication files in /var/opt/ids. HP-UX HIDS uses memory-mapped files, each of size 20 MB. ❏ Action: Ensure that there is at least 20 MB of free disk space in the /var partition. You can remove any lingering files with names in the form /var/opt/ids/ids_10*. idsagent: not enough disk space to create schedule ❏ Meaning: The /var partition is full and the idsagent cannot save the schedule to disk.
Messages Agent Messages ❏ Meaning: This is not a valid address or name for this host. This host name does not resolve to a unique network address. idsagent does not know which network interface to listen on. ❏ Action: Change the IDS_LISTEN_IFACE parameter in the [global] section of the configuration file to a valid address or name for this host.
Messages System Manager Messages System Manager Messages NOTE These messages are produced by the System Manager process. If you see a message that is not described and you cannot resolve, contact HP support. All Surveillance Schedules must be stopped prior to loading a Host List File - Program State Error. ❏ Meaning: Before loading the previously saved list of hosts, all surveillance schedules must be stopped.
Messages System Manager Messages I/O Exception while opening file: filename - File Save Error. ❏ Meaning: The application was unable to open the specified file. ❏ Action: In order to Activate a Surveillance Schedule, selected hosts must have a status of Ready, Scheduled, or Running. ❏ Meaning: The host was in an invalid state for the selected action. ❏ Action: Before activating a surveillance schedule, ensure that the selected hosts are in ready, scheduled, or running state.
Messages System Manager Messages ❏ Action: Two hosts cannot have the same IP addresses. All hosts must have unique IP addresses. No Host selected. A Host must be selected for editing - Host Selection Error. ❏ Meaning: You attempted to edit host information without selecting a host. ❏ Action: Before editing host information, a host must be selected. No host selected. At least one host must be selected - Host Selection Error.
Messages System Manager Messages ❏ Meaning: Only schedules associated with a node can be stopped. No node was selected. ❏ Action: Select a node before stopping the schedule. Select a Surveillance Schedule to Activate. ❏ Meaning: A schedule must be selected before the activate action is performed. ❏ Action: Select a surveillance schedule, before attempting to perform the activation function. Select Surveillance Group Name to delete - Selection Error.
Messages System Manager Messages ❏ Meaning: The application was unable to retrieve the surveillance schedule you selected. ❏ Action: A read action has occurred while retrieving a surveillance schedule. Contact HP support. Surveillance Schedule not selected - Schedule Selection Error. ❏ Meaning: A surveillance schedule was not properly selected for a given operation. ❏ Action: Before performing any action on a surveillance schedule, one must be properly selected.
Messages System Manager Messages ❏ Action: An error occurred during the save operation. Please ensure the availability of sufficient disk space. Unknown Host - unable to resolve IP Address IPaddress. ❏ Meaning: The host name for the agent that you tried to add could not be resolved. ❏ Action: Check the host name of the host. Unknown IP Address - unable to resolve Host Name Appendix F ❏ Meaning: The IP address of the host, which you tried to add, could not be resolved.
Messages System Manager Messages 236 Appendix F
G Appendix G Troubleshooting 237
Troubleshooting Summary Summary This appendix describes various steps you can take in resolving problems on the agent and administrative systems.
Troubleshooting Summary Appendix G • “System Manager times out on agent functions such as Activate and Status Poll” on page 248 • “UNKNOWN program and arguments in certain alert messages” on page 249 • “Using HP-UX HIDS with IPFilter and SecureShell” on page 249 239
Troubleshooting Troubleshooting Troubleshooting This section describes a variety of potential problems and their solutions. To stay current with product updates and patches, be sure to monitor the HP security software news and events web site at www.hp.com/security. Agent and System Manager cannot communicate with each other (No errors are being generated by the HP-UX HIDS processes and everything seems to be running fine otherwise.) See also “No Agent Available” on page 246.
Troubleshooting Troubleshooting Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present ❏ If your lsdev result shows /dev/idds is present, and yet the idsagent debug-enabled log file (run with /opt/ids/bin/idsagent -d -l log_file_name) complains about idds not being enabled, it is probable that there is an installation or kernel-build error.
Troubleshooting Troubleshooting Agent halts abnormally, leaving ids_* files and message queues ❏ If a running agent was not halted as described in “Halting HP-UX HIDS Agents” on page 53 (for example, the agent was stopped with kill -9), then you need to clean up the message queues, which the agent uses for interprocess communication (IPC). This is important because the kernel has a limited number of message queues that IDS and other applications need in order to run.
Troubleshooting Troubleshooting • ❏ /opt/ids/bin/idsagent -d -e -l /var/log/idslog The debug information can be found in the following files: • /var/log/idslog • /var/log/idslog_idskerndsp • /var/log/idslog_idssysdsp • /var/log/idslog_idscor Agent does not start after installation ❏ Verify that there are no errors from the install: /var/adm/sw/swagent.log ❏ Be sure the product has been run as user ids. (No other user will work.
Troubleshooting Troubleshooting ❏ Determine whether any changes have been made to the detection templates, which may filter out the alerts (such as ignoring whole directories or users). ❏ If no login/logout alerts are seen, /var/adm/wtmp might be corrupted. To check, run the last command and see if it prints an error or segmentation faults.
Troubleshooting Troubleshooting Enter command>>ping Wed Nov 24 20:53:23 2004: libcomm: pid=14582 thread_id=1:open_connection: Handshake error (ssl_err=1,ret=0) as client 1:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 Wed Nov 24 20:53:23 2004: libcomm: pid=14582 thread_id=1: write_msg: error opening connection to remote host, errno=607:Error during SSL handshake.
Troubleshooting Troubleshooting Starting the HP-UX HIDS System Manager in the background Please wait.... In either case, you can try running the command again. The solution is to apply the latest Software Distributor (SD) Cumulative Patch. For 11.0, install PHCO_25875 or a superseding patch, if any. For 11i and 11i version 1.6, install PHCO_25887 or a superseding patch, if any.
Troubleshooting Troubleshooting 6. Have the secure communications certificates expired? — On the administration system, run the script /opt/ids/bin/IDS_checkAdminCert. If the certificate has expired, rerun /opt/ids/bin/IDS_genAdminKeys with the update parameter. See “Setting Up the HP-UX HIDS Secure Communications” on page 20. — On the agent system, run the script /opt/ids/bin/IDS_checkAgentCert. If the certificate has expired, rerun /opt/ids/bin/IDS_genAgentCerts for the agent on the administration system.
Troubleshooting Troubleshooting System Manager appears to hang ❏ ❏ This may result if the System Manager is in the process of resyncing a large number of alerts from a specific host. There are two possible workarounds for this problem: • Wait. The System Manager will resume normal behavior when it completes resynchronizing. • Kill the System Manager. Move the file /var/opt/ids/alert.
Troubleshooting Troubleshooting • If the idsagent has died, then restart it. See “Starting HP-UX HIDS Agents” on page 52 • If the System Manager seems to be expecting responses back too quickly, then increasing the Agent Response Timeout value may help alleviate the problem. See “General Preferences” on page 116. UNKNOWN program and arguments in certain alert messages Sometimes, alerts occur specifying an UNKNOWN program and arguments.
Troubleshooting Troubleshooting To allow communications back to these ephemeral ports, use the “keep state” rule in IPFilter. pass out quick proto tcp all keep state 4. Allow queries to DNS servers by HP-UX HIDS agents and HP-UX HIDS System Manager pass out quick proto udp all keep state 5. Since the HP-UX HIDS System Manager requires X11 connections, which can and should be forwarded over the secure channel with SecureShell, allow SecureShell incoming connections.
Troubleshooting Troubleshooting If you started your ssh session with the verbose mode, -v, you will see debug messages similar to the following. Notice the statement “X11 connection uses different authentication protocol: ‘MIT-MAGIC-COOKIE-1’ vs. ‘’.” xsvr3: Received X11 open request. xsvr3: Sending open confirmation to the remote host. xsvr3: X11 connection uses different authentication protocol: ‘MIT- MAGIC-COOKIE-1’ vs. ‘’.
Troubleshooting Troubleshooting 252 Appendix G
H Appendix H HP Software License 253
HP Software License Attention Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
HP Software License Attention * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ‘‘AS IS’’ AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED.
HP Software License Attention * The word ’cryptographic’ can be left out if the rouines from the libra ry * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) fro m * the apps directory (application code) you must include an * acknowledgement: * "This product includes software written by Tim Hudson * (tjh@cryptsoft.
HP Software License HP Software License Terms HP Software License Terms The following License Terms govern your use of the accompanying Software. License Grant. HP grants you a license to Use one copy of the Software. "Use" means storing, loading, installing, executing or displaying the Software. You maynot modify the Software or disable any licensing or control features of the Software.
HP Software License HP Software License Terms Disclaimer. TO THE EXTENT ALLOWED BY LOCAL LAW, THE SOFTWARE IS PROVIDED TO YOU "AS IS" AND WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, EXPRESS OR IMPLIED. HP SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF A THIRD PARTY’S INTELLECTUAL PROPERTY. Applicable law may not allow the exclusion of implied warranties, so the above exclusion may not apply to you.
