Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP Host Intrusion Detection System (HIDS)

251

252

253

254

255

256

257

258

259

260

Troubleshooting

Appendix G

247

6. Have the secure communications certiﬁcates expired?

— On the administration system, run the script

/opt/ids/bin/IDS_checkAdminCert. If the certiﬁcate has expired, rerun

/opt/ids/bin/IDS_genAdminKeys with the update parameter. See “Setting

Up the HP-UX HIDS Secure Communications” on page 20.

— On the agent system, run the script /opt/ids/bin/IDS_checkAgentCert.If

the certiﬁcate has expired, rerun /opt/ids/bin/IDS_genAgentCerts for the

agent on the administration system. Then reimport the certiﬁcates on the

agent system with /opt/ids/bin/IDS_importAgentKeys. See “Setting Up

the HP-UX HIDS Secure Communications” on page 20.

Normal operation of an application generates heavy volume of

alerts

❏ To avoid becoming overwhelmed with unnecessary alert generation, you will need to

customize the detection templates to meet the needs of your particular environment.

If you have an application that generates a heavy volume of alerts during its normal

mode of operation, you can reduce this occurrence by entering additional ﬁltering

into the necessary detection templates (most offer mechanisms by which these

spurious alerts can be suppressed).

❏ For example, a system with the Resource Management subsystem might trigger a

heavy volume of alerts since it frequently updates some ﬁles in /etc/opt/resmon.

You can go to the Schedule Manager and modify the “Modiﬁcation of

ﬁles/directories” template to have it ignore the /etc/opt/resmon directory. (This

ﬁltering is provided by default in HP-UX HIDS version 2.2.)

❏ See “Suggested Best Practices” on page 73.

Reﬂection X rlogin produces multiple login and logout alerts

When logging in using rlogin within Reﬂection X, the login/logout template will report

two login alerts followed immediately by a logout alert. This is expected behaviour and

reﬂects how Reﬂection X immediately terminates a login session after bringing up a

remote window.

Schedule Manager timetable screen appears to hang

❏ The visual refresh of the day, time, and surveillance group matrix (which the System

Manager maintains in the Schedule Manager timetable screen) is CPU intensive

and hence may appear to be slow on some systems.

SSH does not perform a clean exit after idsgent is started

After starting idsagent from a ssh login, logging out of the agent system results in the

ssh session hanging indeﬁnitely. The following are some workarounds:

ssh -l root <machine> /usr/dt/bin/dtterm ; then type in the

"/sbin/init.d/idsagent start" commands interactively .

ssh -l root <machine> "/sbin/init.d/idsagent start"

ssh -l root <machine> "su - ids -c ’/opt/ids/bin/idsagent -a’ 2>&1"