HP-UX Host Intrusion Detection System Administrator’s Guide Software Release 3.1 Edition 5 Customer Order Number: ONLINE ONLY Manufacturing Part Number : 5991-1162 May 2005 Printed in United States of America © Copyright 2000-2001 and 2004 Hewlett-Packard Development Company, LP.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Trademarks UNIX is a registered trademark of The Open Group. Java is a US trademark of Sun Microsystems, Inc. MS-DOS and Microsoft are U.S. registered trademarks of Microsoft Corporation. OSF/Motif is a trademark of The Open Group. X Window System is a trademark of The Open Group. Revision History This guide’s printing date and part number indicate its current edition. The printing date changes when a new edition is printed.
Conventions We use the following typographical conventions. iv audit (5) An HP-UX manpage. audit is the name and 5 is the section in the HP-UX Reference. On the web and on the Instant Information CD, it may be a hot link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5 audit” to view the manpage. See man (1). Book Title The title of a book. On the web and on the Instant Information CD, it may be a hot link to the book itself. KeyCap The name of a keyboard key.
Contents 1. Overview Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Importance of Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Loss of Financial Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Loss of Intellectual Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Setting Up the HP-UX HIDS Secure Communications . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Multihomed Agent System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Multihomed Administration System. . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Loopback System . . . . . . . . . . . . . . . . . .
Contents Stopping Schedules on Agent Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting HP-UX HIDS Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Halting HP-UX HIDS Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accessing Other Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Go to Schedule Manager Screen . . .
Contents Some Template Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Surveillance Schedule Timetables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specifying When a Schedule Will Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Canceling Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Saving a Surveillance Schedule . . . . . . . . . . . . . .
Contents Closing a Network Node Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Alerts Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP-UX HIDS Alerts: What They Mean, What to Do . . . . . . . . . . . . . . . . . . . . . . . . The Errors Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Type I: Path Names to [Not] Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Type II: Path Names/Programs Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Type III: UIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Type IV: UID Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Type V: Network Triplets . . . . . . . . .
Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Response Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Automated Response Works in HP-UX HIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . The Alert Process . . . . . . . . .
Contents Forcing Active Agent to Reread Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . Log File Rotation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Correlator Process Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Source Process Configuration. . . . .
Contents No Agent Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Normal operation of an application generates heavy volume of alerts . . . . . . . . . . 253 Reflection X rlogin produces multiple login and logout alerts . . . . . . . . . . . . . . . . . 253 Response Program gets an empty host name and/or IP address on 11iv1 . . . . . . . 253 Schedule Manager timetable screen appears to hang . . . . . . . . . . . . . . . . . . . . . . .
Contents xiv
1 Overview This chapter introduces you to the HP-UX Host Intrusion Detection System (HP-UX HIDS), an HP-UX product that enhances local host-level security within your network.
Overview IMPORTANT 2 • “What HP-UX HIDS Does” on page 9 • “What HP-UX HIDS does not do” on page 10 • “HP-UX HIDS Components” on page 11 • “Glossary of HP-UX HIDS Terms” on page 14 It is vital that you recognize what HP-UX HIDS can do to help you protect your computer systems and what it cannot do. See “What HP-UX HIDS Does” on page 9 and “What HP-UX HIDS does not do” on page 10 for more details.
Overview Documentation Documentation Following documents are available on the Instant Information CD in the Internet and Security Solutions collection: • HP-UX Host Intrusion Detection System Release 3.1 Release Notes. • HP-UX Host Intrusion Detection System Administrator’s GuideConfiguring and using release 3.1 (the document you are reading currently). The following documents are also available on the internet at http://docs.hp.
Overview Importance of Intrusion Detection Importance of Intrusion Detection Some of the threats that are faced by almost all businesses today are: • Loss of Financial Assets • Loss of Intellectual Property • Loss of Computing Resources • Loss of Privacy Loss of Financial Assets Financial institutions are vulnerable to even trusted people. A similar threat exists in the electronic sphere.
Overview Importance of Intrusion Detection Who Are the Perpetrators? It may be surprising to learn that the perpetrators most often are not attackers who roam the Internet, but your very own employees, whom you trust with your critical data and systems. Unreliable employees who have an intimate knowledge of your systems and network are far more likely to abuse their positions of trust. However, most effort has been expended in defending against the perceived threat from outside.
Overview Importance of Intrusion Detection Exploitation of Critical Infrastructure Elements As more business is done over the Internet, more trust is placed in critical infrastructure elements: the routers, hubs, and web servers that move data around the net. The infrastructure also include DNS name servers that allow users to access www.mycompany.com from their browsers. A DNS server is a computer that maps names such as www.company.com to an Internet address such as 10.2.3.4.
Overview Importance of Intrusion Detection A further complication in deploying a firewall is that it is difficult to establish clearly where the boundary exists between inside and outside. At one time it was obvious that the Internet was outside and the intranet was inside. However, more and more corporations are joining their intranets in multiple-partner arrangements, often termed extranets.
Overview Importance of Intrusion Detection What Is Intrusion Detection? Intrusion detection can be summarized quite simply: After you have put up the barbed wire fence, an intrusion detection system is like adding closed circuit TV cameras so that security guards can monitor your facilities to forestall an attack. Intrusion detection is the art and science of detecting illegal and improper use of computing resources by unauthorized people, before such misuse results in excessive damage.
Overview What HP-UX HIDS Does What HP-UX HIDS Does HP-UX HIDS is an intrusion detection product that can enhances local host-level security within the network. It automatically monitors each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If an intrusion is successful, it could lead to the loss of availability of key systems or could compromise system integrity.
Overview What HP-UX HIDS does not do What HP-UX HIDS does not do Following are the limitations or HP-UX HIDS cannot solve all security -related problems: HP-UX HIDS is not a replacement for such comprehensive security policies and procedures. You must define and implement such security policies and procedures and configure HP-UX HIDS to enforce them. A lack of comprehensive policies, procedures, and configuration can result in attacks going undetected.
Overview HP-UX HIDS Components HP-UX HIDS Components HP-UX HIDS consists of the following components. • System Manager interface. The System Manager interface allows you to configure, control, and monitor the HP-UX HIDS system. Any intrusions detected are reported as alerts. • Host-based agent. The agent gathers system data, monitors system activity, and issues intrusion alerts. • Detection templates. This template contains the most commonly encountered system attack pattern.
Overview HP-UX HIDS Components In addition, HP-UX HIDS Agent executes your Alert Response Programs, which can include an HP-supplied interface with OpenView Operations as well as Other Response Actions. Figure 1-1 HP-UX HIDS Components How the Components Interact to Detect Intrusions HP-UX HIDS monitors system activity by analyzing data from the following file sources: • • Kernel audit data System log files HP-UX HIDS analyzes this information against its configured attack scenarios.
Overview HP-UX HIDS Components Detection Templates HP-UX HIDS includes a set of preconfigured patterns, known as detection templates. These templates are the building blocks used to identify the basic types of unauthorized system activity or security attacks frequently found on enterprise networks. You can customize the detection templates by changing certain configurable parameters.
Overview Glossary of HP-UX HIDS Terms Glossary of HP-UX HIDS Terms /etc/hosts File of host names and IP addresses that are known to the local system. Administration System A system node in your network that is configured to run the HP-UX HIDS System Manager program. Agent The HP-UX HIDS component that gathers system data, monitors system activity, and issues notifications upon detection of an intrusion. Agent System A system node in your network that is configured to run the HP-UX HIDS agent program.
Overview Glossary of HP-UX HIDS Terms Intrusion Also referred to as an attack. A violation of system security policy by an unauthorized outsider. A violation could include intruding in to the unauthorized network area, accessing certain systems within the network, accessing certain files, or running certain programs. Intrusion Detection Data Source (IDDS) The HP-UX HIDS audit system that monitors the host system for potential intrusion activities.
Overview Glossary of HP-UX HIDS Terms Vulnerability 16 A point at which a system can be subverted by an attacker. Vulnerabilities result from flaws in coding or design.
2 Chapter 2 Configuration 17
Configuration Summary Summary This chapter describes how to configure your HP-UX HIDS System Manager and Agent software. For information on installing HIDS, refer to the Release Notes available in “Documentation” on page 3.
Configuration Introduction Introduction Once you have installed or updated your HP-UX HIDS software, you need to complete the configuration with the following required and optional steps. Required Before you run HP-UX HIDS, you must set up the secure communication protocol. You need to create certificates to ensure secure communication between the Administration system and the Agent systems. Optional You may also need to complete one or more of the following steps.
Configuration Setting Up the HP-UX HIDS Secure Communications Setting Up the HP-UX HIDS Secure Communications HP-UX HIDS provides a secure communication environment between its administration System Manager and its agent processes through the Secure Sockets Layer (SSL) protocol. (See “Glossary of HP-UX HIDS Terms” on page 14.) To use the SSL protocol, each component involved in the communication requires a separate identity, or certificate.
Configuration Setting Up the HP-UX HIDS Secure Communications c. Generate the following administration keys: $ IDS_genAdminKeys install This creates the Root Certification Authority (Root CA) and the administration certificate. They are stored in the directory /etc/opt/ids/certs/admin. The keyword install is optional.
Configuration Setting Up the HP-UX HIDS Secure Communications If you enter an IP address and nslookup returns a host name, the host name and IP address are saved in a temporary file and the key bundle is created. Use this method if the agent is multihomed (two or more IP addresses). The IP address must be the value you set for IDS_LISTEN_IFACE, for more information see “Configuring a Multihomed Agent System” on page 25.
Configuration Setting Up the HP-UX HIDS Secure Communications * myhost2 * 15.27.43.6 * * Certificate public keys are valid for 700 days and are * 1024 bits in size. * * They are stored in /var/opt/ids/tmp as hostname.tar.Z * * You should now transfer the bundles via a secure channel * to the IDS agent machines. * * On each agent you will need to run the IDS_importAgentKeys * script to finish the installation.
Configuration Setting Up the HP-UX HIDS Secure Communications CAUTION FTP, RCP, and unencrypted e-mail are not considered to be secure methods of transportation; the contents of the file could be exposed to eavesdroppers which would threaten the security of the communication system. Private key files are protected by having read and write file permissions for user ids only. Step 3. Install the Keys on Each Host On each agent system, install the bundle of keys generated for that host.
Configuration Configuring a Multihomed Agent System Configuring a Multihomed Agent System A multihomed system is one that has multiple connections to a network. Typically, a multihomed system has more than one network interface card, each with a unique address. While the system may have only one host name, the name resolution software will usually return the IP address of one of the interfaces on the system.
Configuration Configuring a Multihomed Agent System # IDS_LISTEN_IFACE to IDS_LISTEN_IFACE 1.2.3.4 Step 7. Save the file with your changes. Step 8. If the agent is running, force the agent to reread the configuration file by sending it a HUP signal; for more information see “Forcing Active Agent to Reread Configuration File” on page 219. If you enter an invalid IDS_LISTEN_IFACE parameter, the HP-UX HIDS software agent will report an error when you attempt to start it.
Configuration Configuring a Multihomed Administration System Configuring a Multihomed Administration System A multihomed system is one that has multiple connections to a network. Typically, a multihomed system has more than one network interface card, each with a unique address. While the system may have only one host name, the name resolution software will usually return the IP address of one of the interfaces on the system.
Configuration Configuring a Multihomed Administration System Step 6. Add your interface address chosen in step 2 above after the equals sign. For example, change INTERFACE= to INTERFACE=1.2.3.4 Step 7. Save the file with your changes. Step 8. If the System Manager is running, stop and restart it. Step 9. On each agent host, become user ids: $ su - ids Step 10. Edit the agent configuration file; $ vi /etc/opt/ids/ids.cf Step 11. Locate the REMOTEHOST parameter in the [RemoteSA] section. See ids.cf (5).
Configuration Configuring a Loopback System Configuring a Loopback System On a non-networked system (no IP address) or for testing purposes, you may want to set up the administration system in a loopback arrangement. This allows only a locally running agent to communicate with the System Manager on the same system; no other agent systems can be monitored. To configure a loopback system Step 1. On the administration system, become user ids: $ su - ids Step 2.
Configuration Configuring Ports Configuring Ports When HP-UX HIDS is first installed on the administration and agent systems, the ports HP-UX HIDS uses are configured into the /etc/services file on each system, as follows (the #comments may vary): hpidsadmin hpidsagent 2984/tcp 2985/tcp #HP-UX Host IDS admin #HP-UX Host IDS agent These are the HP standard port numbers, registered with the Internet Assigned Number Authority (IANA).
Configuration Enabling Multiple Agents Enabling Multiple Agents If you have more than about 20 agent systems, you may have to modify a kernel parameter and a network parameter.
Configuration Enabling Multiple Agents Step 9. If your new value is different, you will need to create a new kernel and reboot. Follow the steps provided by SAM. Enabling Over 20 Inbound Requests The HP-UX HIDS administration system communicates with agent systems with the TCP protocol. On some systems, the TCP parameter, tcp_conn_request_max, is set initially to allow up to 20 inbound requests to be active at one time. If you have a larger number of agent systems, this value may be inadequate.
Configuration Restricting Permissions Restricting Permissions HP-UX HIDS files and programs are delivered with the strictest usable permission. In general, only user ids is allowed any access and superuser (root) is not permitted to execute the programs. In addition, most files must be owned by user ids or HP-UX HIDS will not run. The proper runtime permissions are given in Table 2-2.
Configuration Accessing Manpages 34 Chapter 2
3 Chapter 3 Getting Started 35
Getting Started Summary Summary This chapter gives you an overview of the operation of the HP-UX HIDS system and the procedures you can use to get the System Manager and agents up and running on your administrative and monitored systems.
Getting Started Introduction Introduction First and most important in the HP-UX HIDS system is to have appropriate surveillance schedules running at the appropriate times on the agent hosts. Next in importance is to carefully monitor and act on the alerts. To accomplish the first, you need to create one or more surveillance schedules with the System Manager and download them to the agent hosts. For more information, see “Starting HP-UX HIDS for the First Time” on page 38.
Getting Started Starting HP-UX HIDS for the First Time Starting HP-UX HIDS for the First Time This procedure is a synopsis of the steps required to start the HP-UX HIDS System Manager and agents for the first time. As you do this, your systems will benefit immediately form the protection of intrusion detection while you learn the specifics of the software and tune your configuration to fit your requirements. Set up hosts and run schedules Step 1.
Getting Started Starting HP-UX HIDS for the First Time Step 6. Go to the Host Manager screen and select the agent hosts that you want to monitor. These are the ones you started idsagent on in step 3. As described in “Setting Up the HP-UX HIDS Secure Communications” on page 20, the certificate script may have provided you with a selection of agent hosts. Checkmark the Monitored box for each host. For more information, see “Host Manager Screen” on page 85. Step 7. Go to the System Manager screen.
Getting Started Operations Screens Operations Screens The HP-UX HIDS System Manager has five operations screens that you use to manage the product’s operations, receive operator input, and display HP-UX HIDS output: • System Manager The System Manager screen displays the current status of the agent systems and controls agent operations. It is launched automatically when the System Manager starts. All other operations screens can be accessed from the Edit or View menus of the System Manager screen.
Getting Started Basic Screen Actions Basic Screen Actions There are certain processes that are performed in a similar way in each of the operations screens. These include: • Selecting items from a list. • Searching for particular items in a list. • Sorting a list. • Getting help Selecting Entries in Lists To select one or more entries in a list, • To select a single entry, left-click anywhere within the entry row.
Getting Started Basic Screen Actions 42 Chapter 3
4 Chapter 4 System Manager Screen 43
System Manager Screen Summary Summary This chapter describes the tasks that you perform on the HP-UX HIDS System Manager screen.
System Manager Screen The System Manager Screen The System Manager Screen From the System Manager screen (Figure 4-1), you control and monitor the activities of surveillance schedules on agent host systems.
System Manager Screen The System Manager Screen Starting the HP-UX HIDS System Manager The HP-UX HIDS System Manager program, idsgui, must run as user ids. You start it from the shell. To start the HP-UX HIDS System Manager Step 1. Log in to the administration system as user root. Step 2. Switch to user ids. # su ids Step 3. Start the HP-UX HIDS System Manager: $ /opt/ids/bin/idsgui The System Manager screen (Figure 4-1) is displayed. (It takes about 16 to 20 seconds for the screen to appear.
System Manager Screen On the System Manager Screen On the System Manager Screen The System Manager screen (Figure 4-1) has a number of menus and buttons, which are described in the procedures in the following sections. It also has two lists — Schedules and Monitored Nodes — and a status line, which are described here. • Schedules list: the names of the available surveillance schedules that can be downloaded to agent hosts. Left-click to select one; double-left-click to view or edit it.
System Manager Screen Getting the Status of Agent Hosts Getting the Status of Agent Hosts When the System Manager is started, it automatically checks the status of all agent hosts if Automatic Startup Status Poll is enabled (for more information, see “General Preferences Tab” on page 95). If the Status field information does not appear to reflect the correct information or displays Status Unknown, you can update the status information for one or more hosts.
System Manager Screen Resynchronizing Agent Hosts Resynchronizing Agent Hosts The HP-UX HIDS agent program can continue to detect alerts when the HP-UX HIDS System Manager is not running. In this instance, as each agent detects intrusions, it records them in a log file on the agent host. When you restart the HP-UX HIDS System Manager, the following events occur: 1. The System Manager locates its own log files for each agent host in the Monitored Host list. 2.
System Manager Screen Activating a Schedule on Agent Hosts Activating a Schedule on Agent Hosts To provide intrusion detection, you must activate surveillance schedules on the agent hosts. You also use this procedure to replace a schedule on one or more hosts. To activate a surveillance schedule on agent hosts On the System Manager screen, Step 1. In the Monitored Hosts list, select the hosts you want to be activated. Their Status fields must show Available, Scheduled, or Running. Step 2.
System Manager Screen Stopping Schedules on Agent Hosts Stopping Schedules on Agent Hosts When you stop a surveillance schedule on an agent host, the schedule is removed from the agent and ceases to be scheduled or running. The agent program continues running, ready to accept future actions. If you want to replace one schedule with another, just activate the new one; for more information, see “Activating a Schedule on Agent Hosts” on page 50.
System Manager Screen Starting HP-UX HIDS Agents Starting HP-UX HIDS Agents Normally (after valid certificates have been imported), the HP-UX HIDS agent is started automatically (with /sbin/init.d/idsagent start) when the agent host is booted. To start it manually, use this procedure. To start the agent Step 1. On each agent host, do one of the following: • Log in to the agent system as superuser (root) and enter the command: # /sbin/init.
System Manager Screen Halting HP-UX HIDS Agents Halting HP-UX HIDS Agents You may want to stop the agent process on one, many, or all agent hosts for system maintenance or other reasons. Normally, you halt agent hosts from the System Manager. However, it may occasionally be necessary to halt the agent software directly from the agent host.
System Manager Screen Halting HP-UX HIDS Agents IMPORTANT 54 If an agent did not halt as above, you may need to clean up the message queues. For more information, see “Agent halts abnormally, leaving ids_* files and message queues” on page 248.
System Manager Screen Accessing Other Screens Accessing Other Screens Go to Schedule Manager Screen The Schedule Manager screen lets you create and modify surveillance schedules. To go to the Schedule Manager screen On the System Manager screen, Step 1. Optionally, select a schedule in the Schedules panel. Step 2. Do one of the following: • • • Choose the Edit > Schedule Manager menu item Press Ctrl-S Double-click in the Schedules panel. The Schedule Manager screen is displayed.
System Manager Screen Accessing Other Screens Go to Network Node Screen The Network Node screen displays the alerts and errors for a selected agent host. To view the Network Node screen for an agent host On the System Manager screen, Step 1. In the Monitored Hosts list, select the hosts you want to view. Step 2.
5 Chapter 5 Schedule Manager Screen 57
Schedule Manager Screen Summary Summary This chapter tells you how to configure your HP-UX HIDS surveillance schedules, surveillance groups, and detection templates.
Schedule Manager Screen The Schedule Manager The Schedule Manager The Schedule Manager screen helps you create and configure HP-UX HIDS surveillance schedules, surveillance groups, and detection templates. On this screen, you can: • Add, rename, delete, and define surveillance schedules, including which surveillance groups make up a schedule.
Schedule Manager Screen The Schedule Manager Creating a Surveillance Schedule To create a surveillance schedule Step 1. Create a surveillance schedule name. The schedule will contain one or more surveillance groups. For more information, see “Configuring Surveillance Schedules” on page 62.
Schedule Manager Screen The Schedule Manager Displaying the Schedule Manager Screen To display the Schedule Manager screen Step 1. From the System Manager screen, do one of the following: • • • Choose the Edit > Schedule Manager menu option Press Ctrl-S Double-click anywhere in the Schedules panel or on a schedule name The Schedule Manager screen (Figure 5-1) is displayed with the Configure tab active.
Schedule Manager Screen Configuring Surveillance Schedules Configuring Surveillance Schedules A surveillance schedule consists of one or more surveillance groups that you want to run on a host system during particular hours on particular days of the week. After a surveillance schedule has been created, it can later be modified, copied or deleted. The predefined surveillance schedules, distributed with HP-UX HIDS, are read-only. They may be copied but not resaved or deleted.
Schedule Manager Screen Configuring Surveillance Schedules a. Press the Copy button on the Schedules panel. This opens the Copy Surveillance Schedule dialog box (Figure 5-3). Figure 5-3 Copy Surveillance Schedule Dialog b. Enter a name in the input field. Valid characters are alphanumeric and underscore; the first character must be alphanumeric. Schedule names are case-sensitive. If you include invalid characters, you will be prompted to have them replaced with underscores. c. Click OK to accept it.
Schedule Manager Screen Configuring Surveillance Schedules NOTE The changes you make to a schedule are not propagated to any agent host until you activate it from the System Manager screen. NOTE You cannot modify, rename, or delete a surveillance schedule if it is currently scheduled or running on an agent host. For more information, see Chapter , “The System Manager Screen,” on page 45. Renaming a Surveillance Schedule NOTE You cannot rename any predefined schedule, distributed with HP-UX HIDS.
Schedule Manager Screen Configuring Surveillance Schedules NOTE You cannot modify, rename, or delete a surveillance schedule if it is currently scheduled or running on an agent host. For more information, see Chapter , “The System Manager Screen,” on page 45. Deleting a Surveillance Schedule NOTE You cannot delete any predefined schedule, distributed with HP-UX HIDS. For more information, see “Predefined Surveillance Schedules and Groups” on page 81. To delete a surveillance schedule Step 1.
Schedule Manager Screen Configuring Surveillance Schedules Saving a Surveillance Schedule After a surveillance schedule has been created or modified, it is a good idea to save it to disk. This provides security against system failures. If you do not save it yourself, it will be saved automatically when you exit from the System Manager screen. NOTE You cannot save any predefined schedule, distributed with HP-UX HIDS. Copy it instead.
Schedule Manager Screen Configuring Surveillance Groups Configuring Surveillance Groups Surveillance groups are the building blocks of surveillance schedules. They are made up of one or more detection templates. The predefined surveillance groups, distributed with HP-UX HIDS, are read-only. They may be copied but not resaved or deleted. If you modify one, you can only save the changes under a new name. They are listed in “Predefined Surveillance Schedules and Groups” on page 81.
Schedule Manager Screen Configuring Surveillance Groups Step 3. Create a name for the new surveillance group. a. Click the Copy button on the Surveillance Groups panel. This opens the Copy Surveillance Group dialog box (Figure 5-6). Figure 5-6 Copy Surveillance Group Dialog b. Enter a name in the input field. Valid characters are alphanumeric and underscore; the first character must be alphanumeric. Schedule names are case-sensitive.
Schedule Manager Screen Configuring Surveillance Groups Renaming a Surveillance Group NOTE You cannot rename any predefined group, distributed with HP-UX HIDS. Copy it instead. For more information, see “Copying a Surveillance Group” on page 67 and “Predefined Surveillance Schedules and Groups” on page 81. To rename a surveillance group Step 1. Go to the Configure tab of the Schedule Manager screen: Step 2. Select the group in the Surveillance Groups panel. Step 3.
Schedule Manager Screen Configuring Surveillance Groups Deleting a Surveillance Group NOTE You cannot delete any predefined group, distributed with HP-UX HIDS. See “Predefined Surveillance Schedules and Groups” on page 81. To delete a surveillance group Step 1. Go to the Configure tab of the Schedule Manager screen: Step 2. Select the group in the Surveillance Groups panel. Step 3. Click the Delete button in the Surveillance Groups panel. This displays the Confirm Deletion dialog box.
Schedule Manager Screen Configuring Detection Templates Configuring Detection Templates Detection templates are the building blocks of surveillance groups. They contain one or more properties. A property is a parameter for a detection template. Refer to Appendix A, “Templates and Alerts,” on page 123 for more information about HP-UX HIDS detection templates. Each detection template is designed to identify a specific type of unauthorized system activity and has configurable parameters.
Schedule Manager Screen Configuring Detection Templates Perform these substeps. a. Edit the value in the text box. In general, the value cannot be null. b. Click OK to accept your change. Click Cancel to leave the value unchanged. Step 5. If the value is a list (zero or more values in brackets, for example, [0, 1, 5, 11]), the Edit List dialog box is displayed (Figure 5-9). Figure 5-9 Edit List Dialog Perform one of the following substeps to add, modify, or delete a value. a. To add a new value 1.
Schedule Manager Screen Configuring Detection Templates 2. Click the Edit button. An Edit dialog box is displayed (Figure 5-11) with the current value. Figure 5-11Edit Dialog - Edit 3. Edit the value in the text box. In general, the value cannot be null. 4. Click OK to accept the new value. Click Cancel to leave the value unchanged. c. To delete a current value 1. Highlight one of the values in the Edit List display. If you highlight more than one, the first one is processed. 2. Click the Delete button.
Schedule Manager Screen Configuring Detection Templates Some Template Configuration Guidelines • NOTE 74 The “Race Condition Template” on page 143 imposes the highest overhead in terms of the load it places on correlator process. We recommend that you not include this template in your initial schedule. The race condition template checks, among other things, for the execution of setuid scripts, which are vulnerable to a race condition attack. In HP-UX 11i version 1.
Schedule Manager Screen Setting Surveillance Schedule Timetables Setting Surveillance Schedule Timetables Once you have defined a surveillance schedule with its complement of surveillance groups and detection templates, you need to specify the days and times that the groups will be active when the schedule is activated on an agent host. Use this procedure to establish and change the times a schedule runs.
Schedule Manager Screen Setting Surveillance Schedule Timetables Specifying When a Schedule Will Run To specify when a schedule will run Step 1. Select the Timetable tab of the Schedule Manager screen (Figure 5-12). Figure 5-12 Schedule Manager Screen - Timetable Tab Step 2. Highlight the schedule name in the Schedules panel. The groups that are part of the schedule are displayed in the Selected Groups panel of the Schedule tab. Step 3. In the Selected Groups panel, highlight one of the groups.
Schedule Manager Screen Setting Surveillance Schedule Timetables • Always On means the group will run 24 hours a day, seven days a week. If you select this option, the group will be displayed in all the boxes in the Schedule Summary panel and you are done setting the timetable for this group. This is the default. • Specified means you will choose the days and times the group will run. Continue with the next step. Step 6. In the Select Days panel, choose the days the group should run.
Schedule Manager Screen Setting Surveillance Schedule Timetables Saving a Surveillance Schedule See “Saving a Surveillance Schedule” on page 66.
Schedule Manager Screen Viewing Surveillance Schedule Details Viewing Surveillance Schedule Details You can view the source text of a surveillance schedule in the Details tab of the Schedule Manager screen. Viewing the Source of a Surveillance Schedule To view the source of a surveillance schedule Step 1. Go to the Details tab of the Schedule Manager screen (Figure 5-13). Figure 5-13 Schedule Manager Screen - Details Tab Step 2. In the Schedules panel, select a schedule.
Schedule Manager Screen Viewing Surveillance Schedule Details Clearing the Details Display To clear the display Step 1. Click on the Clear button. This just erases the text. The schedule is unaffected. Saving the Details Display You can save the displayed text as a text file. To save the displayed text Step 1. Do one of the following: • • • Click the Save button Choose File > Save Enter Ctrl-S The Save dialog box (Figure 5-14) is displayed. Figure 5-14 Save Dialog Step 2.
Schedule Manager Screen Predefined Surveillance Schedules and Groups Predefined Surveillance Schedules and Groups Table 5-1 lists the predefined surveillance schedules and surveillance groups that are supplied with the system and the detection templates that they use. The predefined surveillance schedules and groups, distributed with HP-UX HIDS, are read-only. They may be copied but not resaved or deleted. If you modify one, you can only save the changes under a new name.
Schedule Manager Screen Predefined Surveillance Schedules and Groups Table 5-1 Predefined Surveillance Schedules (Continued) Surveillance Schedules FileLoginMixture Surveillance Groups FileModificationGroup Detection Templates Changes to Log File Template Creation and Modification of Setuid File Template Creation of World-Writable File Template Modification of Another User’s File Template Modification of files/directories Template LoginMonitoringGroup Login/Logout Template Repeated Failed Logins Temp
Schedule Manager Screen Predefined Surveillance Schedules and Groups Table 5-1 Predefined Surveillance Schedules (Continued) Surveillance Schedules FileModificationsWorkHours Surveillance Groups FileModificationGroup Detection Templates Changes to Log File Template Creation and Modification of Setuid File Template Creation of World-Writable File Template Modification of Another User’s File Template Modification of files/directories Template LoginMonitoringAlwaysOn LoginMonitoringGroup Login/Logout T
Schedule Manager Screen Predefined Surveillance Schedules and Groups 84 Chapter 5
6 Chapter 6 Host Manager Screen 85
Host Manager Screen Summary Summary This chapter tells you how to define the hosts to be monitored. The following topics are covered.
Host Manager Screen Managing Hosts Managing Hosts The Host Manager screen enables you to specify the host systems that you plan to monitor with HP-UX HIDS. The information on each configured host is listed on the Host Manager screen. This information includes the name of the host system, its IP address, the name of any optionally assigned tag, and whether it is being monitored. Monitored hosts are also displayed on the System Manager screen.
Host Manager Screen Managing Hosts Closing the Host Manager Screen On the Host Manager screen: Step 1. Enter any of: • • Choose the File > Close menu item Press Ctrl-C Step 2. If you have modified but not saved the current host list, the Host List Manager Modified dialog is displayed. Select Yes to save the current list in the current file. The default host list file is /etc/opt/ids/gui/config/sentinal.hosts. Select No and the changes will not be saved.
Host Manager Screen Adding New Hosts Adding New Hosts You can add agent hosts in the following ways: CAUTION • By hand: “Adding a New Host Manually” on page 89 • From /etc/hosts: “Adding New Hosts from /etc/hosts” on page 91 • From a file: “Adding New Hosts from a File” on page 92 • By creating X.509 certificates and restarting the System Manager: “Setting Up the HP-UX HIDS Secure Communications” on page 20. HP-UX HIDS uses the IP address to identify and communicate with the agent host.
Host Manager Screen Adding New Hosts NOTE A host name must start with a letter and contain only letters, digits, periods, underscores, and hyphens. Upper- and lowercase letters are equivalent. For example, xy3-z5 and xy3-z5.a32c.edu. An IP address consists of four decimal fields, each in the range 0 to 255, separated by periods (.). For example, 1.2.3.4. a. Host Name Enter the host name of the agent host in the Host Name field.
Host Manager Screen Adding New Hosts The Set Host Name button becomes active (Figure 6-4). Figure 6-4 Add Host Dialog: Set Host Name Click the Set Host Name button to display the full name of the host in the Host Name field. If the host name cannot be determined, the Add Host Error box is displayed with the message, “Unknown Host Name - unable to resolve IP Address”; click OK and redo this step. A host name is required. NOTE The IP address is the best method for adding a multihomed agent host.
Host Manager Screen Adding New Hosts Step 2. The entries in the /etc/hosts file on the administration system are added to the hosts list according to “Rules for Host Lists Files” on page 92; the Monitored boxes are unchecked. Adding New Hosts from a File To add new hosts from a file On the Host Manager screen: Step 1. Do one of the following: • • Choose the Edit > Add Host > Load Hosts List File menu item Press Shift-F7 Step 2. The Open dialog box is displayed (Figure 6-5).
Host Manager Screen Modifying a Host Modifying a Host To modify a host entry On the Host Manager screen: Step 1. Bring up the Edit Host Entry dialog (Figure 6-6) with one of: • • • Double-left-click an entry in the host list Select an entry in the host list and choose the Edit > Edit Host menu item Select an entry in the host list and press Ctrl-H (If more than one entry is selected, the first in the list is chosen.) Figure 6-6 Edit Host Entry Dialog Step 2.
Host Manager Screen Deleting Hosts Deleting Hosts To delete a host entry On the Host Manager screen: Step 1. Select one or more entries in the host list. Step 2. Delete the entries with any of: • • • • Choose the Edit > Delete Host menu item. Click the Delete button. Right-click > menu > Delete Host. Press Delete. The entries are deleted from the Host Manager screen. If they were monitored, they are also deleted from the System Manager screen.
Host Manager Screen Enabling and Disabling Hosts Enabling and Disabling Hosts To enable or disable an agent host for monitoring On the Host Manager screen: Step 1. Click the box in the Monitored column for the entry for the host you want to enable or disable for monitoring. The box displays a check mark if the host is enabled. It is blank if the host is disabled. When an entry is enabled, it is also displayed on the System Manager screen and automatically polled.
Host Manager Screen Managing Tags Managing Tags On the Host Manager screen: Step 1. Bring up the Edit Host Tag List dialog (Figure 6-7) with any of: • • Figure 6-7 Choose the Edit > Host Tag List menu item Press Crtl-T Edit Host Tag List Dialog Step 2. Add, modify or delete tags a. To add a tag 1. Click on Add to display the Add Host Tag dialog (Figure 6-8). Figure 6-8 Add Host Tag Dialog 2. Enter a tag name in the input field. The name can contain any printing characters and be of any length.
Host Manager Screen Managing Tags b. To edit a tag 1. Highlight the tag in the Tag List and click on Edit or double-click the tag in the Tag list to display the Edit dialog (Figure 6-9). If you highlight more that one tag, you will get an error message. Figure 6-9 Edit Dialog 2. Modify the tag name in the edit field. The name can contain any printing characters and be of any length. Spaces are significant. Tag names are case-sensitive. Duplicate tags are discarded when you exit (Step 3). 3.
Host Manager Screen Maintaining Host Files Maintaining Host Files You can save and use multiple host files. This might be useful for managing different sets of hosts from the same administration system. The default host file is /etc/opt/ids/gui/config/sentinal.hosts, which is loaded automatically when the System Manager starts. Saving the Host List in the Current File On the Host Manager screen: Step 1. Do any of: • • Choose the File > Save menu item Press Ctrl-S Step 2.
Host Manager Screen Maintaining Host Files Using an Alternate Host List File You can load a previously saved host file. NOTE A new host file cannot be opened if there are any surveillance schedules running on any of the hosts currently displayed; each surveillance schedule must first be stopped using the System Manager screen. For more information, see “Stopping Schedules on Agent Hosts” on page 51. On the Host Manager screen: Step 1.
Host Manager Screen Maintaining Host Files 100 Chapter 6
7 Chapter 7 Network Node Screen 101
Network Node Screen Summary Summary This chapter describes the Network Node screen, which displays alerts and errors for a particular agent host.
Network Node Screen Network Node Screen Network Node Screen The Network Node screen contains lists of alerts and errors that have been detected by the related agent. Click the Alerts or Errors tab to see the lists and details panels. Alerts are recorded on the agent host system in the file /var/opt/ids/alert.log. Errors are recorded on the agent host system in the file /var/opt/ids/error.log.
Network Node Screen The Alerts Tab The Alerts Tab The Alerts tab (Figure 7-1) displays the alerts that were detected by the surveillance schedule on one of your agent host systems. On the Network Node screen, click on the Alerts tab (Figure 7-1). Figure 7-1 Network Node Alerts Tab Each alert entry displays the alert severity, the attacker, the attack type, the date and time the alert was generated, as well as other data.
Network Node Screen The Alerts Tab The operations you can perform on the Alert tab are described in “General Operations” on page 107. HP-UX HIDS Alerts: What They Mean, What to Do Your response to each possible alert will depend on individual circumstances. You should develop policies and procedures for handling intrusions. The templates that are used to generate alerts are described in Appendix A, “Templates and Alerts,” on page 123.
Network Node Screen The Errors Tab The Errors Tab The Errors tab (Figure 7-2) displays the errors that were reported by the HP-UX HIDS agent program on one of your agent host systems while the System Manager was running. Errors are not resynchronized. On the Network Node screen, click on the Errors tab (Figure 7-2). Figure 7-2 Network Node Error Tab Each error entry displays the date and time of the error, the error message, and other data.
Network Node Screen General Operations General Operations The Alerts and Errors tabs use the same operations to manage their contents, with a few minor differences in labels. Sorting Entries By default, alerts and errors are listed in ascending Date/Time order. However, you can resort the list by any attribute in either ascending or descending order by: • Clicking on the appropriate column header to toggle between ascending and descending order. • Selecting an item from the Sort menu.
Network Node Screen General Operations • Shift-left-click to add or remove contiguous entries, depending on the state of the anchor entry. The anchor entry is unchanged. If the anchor entry is selected, all intervening entries are selected. If the anchor entry is not selected (e.g., was deselected by Ctrl-left-click), all intervening entries are removed. If the previous operation was Shift-left-click, the effect of the previous operation is negated.
Network Node Screen General Operations Searching Again To search again On the Network Node screen, Step 1. Repeat the last Find with any of: • • Choose the Search > Find Again menu item Press F3 The search continues in the next entry. If the string is found, the entry is highlighted and other selections are cleared. If the string is not found, you get an error message (click OK to go on). If there is no previous search string, the process is as in “Starting a Search” on page 108.
Network Node Screen General Operations ❏ NOTE 110 • Choose the Actions > Mark Selected Alerts/Errors As Seen menu item (selected entries on current tab are marked as seen) • Right-click and choose the Mark All Alerts/Errors as Seen menu item (all entries on current tab are marked as seen) • Right-click and chose the Mark Selected Alerts/Errors as Seen menu item (selected entries on current tab are marked as seen) Unseen.
Network Node Screen General Operations Saving a Log File Set A log file set is the combination of the alert log file and the error log file. Alerts and errors are saved at the same time. Alerts go into a file named filesetname_alerts.log. Errors go into a file named filesetname_errors.log. filesetname is the name that you assign. NOTE The Network Node screen’s title bar indicates how you obtained the data on the screen.
Network Node Screen General Operations • Figure 7-4 Press Ctrl-A Save Dialog Box Step 2. Either select one of the existing file names (it doesn’t matter whether you choose the alert or error version) by clicking on its name or enter a log file set name in the File Name field. A log file set name is a file name without the trailing _alert.log or _error.log. For example, 1. To create a new file set named myhost1.backup, enter myhost1.backup in the File Name field. 2.
Network Node Screen General Operations Opening a Log File Set You can open any log file set that has been saved on the system, including the master log files for your agent hosts. Step 1. From the Network Node screen, display the Open dialog box (Figure 7-5) with one of: • • Figure 7-5 Choose the File > Open menu item Press Ctrl-O Open Dialog Box Step 2.
Network Node Screen General Operations 114 Chapter 7
8 Chapter 8 Preferences Screen 115
Preferences Screen Summary Summary This chapter describes operational and display settings that you can set on the Preferences screen.
Preferences Screen Preferences Screen Preferences Screen The Preferences screen allows you to specify several system operational preferences and to choose which columns will appear on the alerts and errors lists of the Network Node screen, and the Monitored Hosts list of the System Manager screen.
Preferences Screen Preferences Screen General Preferences On the Preferences screen, click on the General Preferences tab. The General Preferences tab provides four options, shown in Figure 8-1 and described in Table 8-1. Click on an option box to select or deselect it. Type a numeric value in the edit box to change it.
Preferences Screen Preferences Screen Table 8-1 General Preferences Tab (Continued) Option Automatic Startup Alert Synchronization Default On Description When this option is turned on (checked), the System Manager will automatically resynchronize the alerts with running agents whenever the System Manager is restarted. This is equivalent to choosing Actions > Resync from the System Manager screen. This option is not available if Automatic Startup Status Poll is not checked.
Preferences Screen Preferences Screen Browser Preferences The Browser Preferences tab allows you to select the list columns that will be displayed on the System Manager screen and the Alerts and Errors tabs of the Network Node screen. Check the boxes to display the columns. Alert Events Preferences On the Preferences screen, click on the Browser Preferences tab and the Alert Events subtab. The Alert Events subtab lists the columns that can be displayed on the Alerts tab of the Network Node screen.
Preferences Screen Preferences Screen Table 8-2 Alert Events Subtab (Continued) Column Name Default Description Target ID * No ID of subsystem being attacked, e.g., 02:FILESYSTEM Code * No Code number of the detection template Version * No Version of the detection template UTC Time * No Time of the alert in Coordinated Universal Time Details * No Details of the alert Error Events Preferences On the Preferences screen, click on the Browser Preferences tab and the Error Events subtab.
Preferences Screen Preferences Screen System Manager Preferences On the Preferences screen, click on the Browser Preferences tab and the System Manager subtab. The System Manager subtab lists the columns that can be displayed on the System Manager screen. Check the boxes to display the columns. The column names are shown in Figure 8-4 and described in Table 8-4. Click on an option box to select or deselect it.
A Appendix A Templates and Alerts 123
Templates and Alerts Summary Summary This appendix describes the detection templates that are used to make up surveillance groups. This appendix also describes the alerts that are passed to the System Manager and to response programs by the HP-UX HIDS agent.
Templates and Alerts Alert Summary Alert Summary For each alert, Table A-1 lists the attack detected, the alert severity, and the detection template that generates the alert. Table A-1 Detection Templates Alert Appendix A Attack Alert Severity Detection Template Buffer overflow detected A process attempted to execute on its stack, perhaps as part of a stack buffer overflow attack.
Templates and Alerts Alert Summary Table A-1 Detection Templates (Continued) Alert 126 Attack Alert Severity Detection Template Setuid file created A privileged setuid file was created, potentially created, or the setuid bit was turned on a regular file owned by a privileged user, or the owner of a setuid file was changed from a non privileged user to a privileged user.
Templates and Alerts Alert Summary Table A-1 Detection Templates (Continued) Alert Attack Alert Severity Detection Template Non-owned file being modified A file’s mode or ownership was modified by a user other than the owner, or a file was opened for modification by a user other than the owner of the file.
Templates and Alerts UNIX Regular Expressions UNIX Regular Expressions UNIX regular expressions are supported to specify template directory and file properties. Template properties that specify path names (for example, pathnames_to_watch, pathnames_to_not_watch, pathnames_X, programs_X, etc.) are interpreted as UNIX regular expressions. Refer to regexp(5) manpage for a description of regular expressions and pattern matching notations.
Templates and Alerts UNIX Regular Expressions When you attempt to match the pipe (|), ampersand (&), or comma (,) character in a regular expression, you must escape those special characters using a backslash (\) character because these three characters also have special meaning (they are used as delimiters by the parser of the template property syntax).
Templates and Alerts Limitations Limitations This section describes the general limitations of all the templates. Template-specific limitations are included in the respective template sections: • None of the templates perform aggregation of related alerts and only the Repeated Failed Logins template has a property (called warning_interval) to filter out identical alerts that repeat over a given time period.
Templates and Alerts Template Property Types Template Property Types A template property has one of the following types: • Type I: Path Names to [Not] Monitor • Type II: Path Names/Programs Pairs • Type III: UIDs • Type IV: UID Pairs • Type V: Network Triplets • Type VI: Time Strings • Type VII: Flags • Type VIII: Scalars See “Template Configuration Syntax” on page 182 for a description of the syntax to use to specify values of the various template types.
Templates and Alerts Template Property Types Type II: Path Names/Programs Pairs These property types enable users to specify combinations of file path names and program path names, such that alerts normally generated for files (regular files, directories, and so on) specified in the Pathnames to be monitored property are suppressed when the files are modified by selected programs. Path names and programs are specified as regular expressions just as pathnames_to_[not]_watch properties are specified.
Templates and Alerts Template Property Types pathnames_1 | f1 & f2 programs_1 | p1 pathnames_2 | programs_2 | f1 & f2 p2 pathnames_3 | f1 & f2 programs_3 | p3 • However, it is not equal to the following: 4. pathnames_1 | f1 programs_1 | p1 & p2 & p3 pathnames_2 | f2 programs_2 | p1 & p3 The rationale here is to provide a finer granularity for users to specify their filemonitoring dependencies.
Templates and Alerts Template Property Types • The effective UID of the process modifying this file is the same as the first member of the pair. • The owner of the file has the same UID as the second member of the pair. If both these conditions are true, no alert is issued. Following is an example of this type of property value: uid_pairs_to_ignore | 2, 16 | 4, 3 In this example, if the file’s owner’s UID is 16, and the effective UID of the modifying process is 2 then no alarm is triggered.
Templates and Alerts Template Property Types When the units component is not present, the integer component is assumed to be in units of seconds. For example, the following lines in the template configuration file contain time strings representing values of 23 seconds, 10 minutes, 1 hour and 23 seconds; the s component in the last line is redundant, but can be used for clarity.
Templates and Alerts Buffer Overflow Template Buffer Overflow Template The vulnerability addressed by this template How this template addresses the vulnerability All buffer overflow attacks (for example, stack smashing, return-into-libc, execute on heap) attempt to overflow a buffer. The buffer can be a local variable residing on the stack, a dynamically allocated buffer residing on the heap, or a global variable residing in the process data segment.
Templates and Alerts Buffer Overflow Template How this template is configured Table A-2 lists the configurable properties that this template supports. Table A-2 Buffer Overflow Template Properties Name Type Default Value priv_uid_list III 0 | 1 | 2 | 3 | 4 | 5 | 9 | 11 unusual_arg_len VIII 500 pathnames_to_not_watch I • Property: priv_uid_list A list of system-level user IDs. This list should contain those users who are considered to have elevated access to the system.
Templates and Alerts Buffer Overflow Template Table A-3 Response Program Argument Alert Field Alert Field Type argv[3] Severity Integer 1 Alert severity argv[4] UTC Time Integer UTC time in number of seconds since epoch when execute-on-stack was detected argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that attempted to execute on its stack argv[6] Target of Attack String program=
Templates and Alerts Buffer Overflow Template Unusual Argument Length Table A-4 lists the alerts that this template generates and forwards to a response program setuid when a privileged setuid program is invoked with an argument equal to or greater than the unusual_arg_len property value.
Templates and Alerts Buffer Overflow Template Table A-4 Unusual Argument Length Alert Properties (Continued) Response Program Argument Alert Field Type Alert Field Alert Value/Format Description argv[8] Details String Potential buffer overflow attack by process with pid and ppid when executing(type=, inode=, device=
Templates and Alerts Buffer Overflow Template Table A-5 Response Program Argument Argument with Non-printable Character Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[3] Severity Integer 1 Alert severity argv[4] UTC Time Integer UTC time in number of seconds since epoch when a privileged setuid program was run with an argument that contains a nonprintable character argv[5] Attacker String uid=, gid=, pid=, ppid= T
Templates and Alerts Buffer Overflow Template Table A-5 Response Program Argument Argument with Non-printable Character Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String Potential buffer overflow attack by process with pid and ppid when executing(type=, inode=, device=
Templates and Alerts Race Condition Template Race Condition Template The vulnerability addressed by this template Some attacks use the time between a program’s check of a file and the time that the program uses that file. The race condition is sometimes referred to as the Time-To-Check-To-Time-To-Use (TOCTTOU) vulnerability. For instance, a mail delivery program might check to see if a file exists before it changes ownership of the file to the intended recipient.
Templates and Alerts Race Condition Template Properties The properties of this template are described below: • Property: priv_uid_list A list of system-level user IDs. This list should contain those users who are considered to have elevated access to the system. Removing any of these means that an attack against one of those users will not be detected by this template.
Templates and Alerts Race Condition Template Table A-7 Response Program Argument File Reference Modification Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process, if known, that modified a privileged program’s file reference. All values set to -1 if attacker is not known.
Templates and Alerts Race Condition Template Privileged setuid Script Executed This template generates and forwards alerts to a response program when a privileged setuid script is executed (either directly or through a symbolic link) and the kernel has honored the setuid bit. Table A-8 lists the alerts that this template supports.
Templates and Alerts Race Condition Template Table A-8 Response Program Argument setuid Script Executed Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with running as process with pid and with parent pid is executing the privileged setuid script (type=, inode=, device=
Templates and Alerts Modification of files/directories Template Modification of files/directories Template The vulnerability addressed by this template Many of the files on an HP-UX system should not be modified during normal operation. This includes the system-supplied binaries and libraries and the kernel. Additionally, software packages are generally not installed or modified during normal system operation.
Templates and Alerts Modification of files/directories Template Table A-9 File/Directories Template Properties (Continued) Name Appendix A Type Default Value pathnames_to_not_watch I ^/etc/ptmp$ | ^/etc/\.pwd\.lock$ | ^/etc/utmp$ | ^/etc/utmpx$ | ^/etc/rc\.log$ ^/etc/opt/resmon/pipe/ pathnames_0 II ^/etc/opt/resmon/ | ^/etc/group˙tmp.*$ & ^/etc/passwd˙tmp.*$ & ^/etc/group$ | ^/etc/group ˙tmp.
Templates and Alerts Modification of files/directories Template Table A-9 File/Directories Template Properties (Continued) Name 150 Type Default Value pathnames_to_not_watch I ^/etc/ptmp$ | ^/etc/\.pwd\.lock$ | ^/etc/utmp$ | ^/etc/utmpx$ | ^/etc/rc\.log$ ^/etc/opt/resmon/pipe/ pathnames_0 II ^/etc/opt/resmon/ | ^/etc/group˙tmp.*$ & ^/etc/passwd˙tmp.*$ & ^/etc/group$ | ^/etc/group ˙tmp.
Templates and Alerts Modification of files/directories Template Table A-9 File/Directories Template Properties (Continued) Name programs_X Properties Type II Default Value A brief description about the configurable properties are enlisted below: • Property: pathnames_to_watch Pathnames of files to be monitored for modification. • Property: pathnames_to_not_watch Pathnames of files that can be safely ignored for modification, regardless of which program modifies them.
Templates and Alerts Modification of files/directories Template File Being Modified Table A-10 lists the alerts that this template generates and forwards to a response program when a file is modified.
Templates and Alerts Modification of files/directories Template Table A-10 Response Program Argument argv[8] File Being Modified Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format User with uid (type=, inode=, device=) when executing (type=,inode=,device=), invoked as follows: ...
Templates and Alerts Modification of files/directories Template NOTE See Table B-1 in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without having to parse the string alert fields above.
Templates and Alerts Changes to Log File Template Changes to Log File Template The vulnerability addressed by this template Certain HP-UX system files are used to store logs of system activities, such as login attempts, commands executed, and miscellaneous system log messages. The files that store this system information should only be appended to, not overwritten. Attacks often either modify or delete these files to remove information about their intrusion.
Templates and Alerts Changes to Log File Template Use these properties to filter out alerts generated when a particular program modifies a particular file other than appending . See “Type II: Path Names/Programs Pairs” on page 132 for a detailed description of these property pairs. Alerts generated by this template See Table A-12 for information about the alerts that this template generates.
Templates and Alerts Changes to Log File Template Table A-12 Response Program Argument argv[8] Append-Only File Being Modified Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format User with uid (type=,inode=, device) when executing (type=,inode=,device=), invoked as follows: ...
Templates and Alerts Creation and Modification of Setuid File Template Creation and Modification of Setuid File Template The vulnerability addressed by this template A setuid file is one that, if executed, operates with the permissions of the owner of the file, not of the person executing the file. One of the frequent back doors that an intruder installs on a system is the creation of a copy of the /bin/sh program that is setuid root. Such a file allows any command to be executed as the superuser.
Templates and Alerts Creation and Modification of Setuid File Template Setuid File Created or Modified Table A-14 lists the alerts that this template generates and forwards the following alerts to a response program when a setuid file owned by a privileged user is created or modified.
Templates and Alerts Creation and Modification of Setuid File Template Table A-14 Response Program Argument argv[8] Setuid File Created / Modified Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format User with uid the file (type=,inode =, device>(type=,inod e=,device=), invoked as follows: ...
Templates and Alerts Creation and Modification of Setuid File Template generating an alert that a setuid file was opened for modification. The template can also generate a false alert that a setuid file is created even though the file already exists, and is opened with the create flag and not for modification. • Appendix A The template cannot always distinguish between when a setuid file is created, and when an existing setuid file is truncated.
Templates and Alerts Creation of World-Writable File Template Creation of World-Writable File Template The vulnerability addressed by this template A world-writable file is one that any user of the system can modify. In many cases, the files owned by the system users (such as root, bin, sys, adm) are used to control the configuration and operation of the system. Allowing regular users to modify these files exposes the system to attacks.
Templates and Alerts Creation of World-Writable File Template Table A-15 World-Writable File Template Properties (Continued) Name Properties Type Default Value programs_1 II ^/usr/lbin/rlogind$ | ^/usr/lbin/swagent$ & ^/usr/sbin/swagentd & ^/usr/sam/lb in/samd$ & ^/opt/perf/bin/ & ^/opt/OV/bin/ | ^/opt/openssl/prngd/prngd$ | ^/usr/sbin/getty$ | ^/usr/sam/lbin/samd$ | ^/opt/VRTSob/bin/vxsvc$ | ^/opt/perf/bin/ | ^/opt/OV/httpd/bin/httpd$ | ^/opt/OV/bin/ | ^/usr/sbin/useradd$ & ^/usr/sbin/userdel$ & ^/
Templates and Alerts Creation of World-Writable File Template World-Writable File Created Table A-16 lists the configurable properties that this template supports.
Templates and Alerts Creation of World-Writable File Template Table A-16 Response Program Argument argv[8] World-Writable File Created Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format User with uid (type=,inode=, device) when executing (type=,inode=,device=), invoked as follows: ...
Templates and Alerts Creation of World-Writable File Template Limitations 166 This template has the following limitations: • The template cannot always distinguish between when a world-writable file is created, and when an existing world-writable file is opened with the create flag set.
Templates and Alerts Modification of Another User’s File Template Modification of Another User’s File Template The vulnerability addressed by this template In many environments, users are expected to be working with their own files. An attacker attempting to compromise the security of a system might cause a system program to modify various files owned by other system users. Because many daemons run as a particular user, this template may generate an alert when a compromised daemon causes such an attack.
Templates and Alerts Modification of Another User’s File Template Table A-17 Modification of Another User’s File Template Properties (Continued) Name Type II programs_X Properties Default Value Configure the following properties based on the individual machine configuration and usage. • Property: pathnames_to_not_watch Pathnames of files that can be safely ignored if they are modified by non-owners.
Templates and Alerts Modification of Another User’s File Template Table A-18 Response Program Argument argv[3] Non-Owned File Being Modified Alert Properties (Continued) Alert Field Severity Alert Field Type Integer Alert Value/Format 2 if the file is truncated, potentially truncated, deleted, or renamed. Description Alert Severity 3 if the file’s mode or ownership is modified, or the file is opened for writing or appending.
Templates and Alerts Modification of Another User’s File Template Table A-18 Response Program Argument argv[8] Non-Owned File Being Modified Alert Properties (Continued) Alert Field Details Alert Field Type String Alert Value/Format User with uid (type=,inode=, device(type=,inode=,device=), invoked as follows: ...
Templates and Alerts Login/Logout Template Login/Logout Template The vulnerability addressed by this template Certain privileged user accounts (such as adm, bin, sys) are intended to be used by system programs only for maintenance purposes.
Templates and Alerts Login/Logout Template A brief description about the configurable properties are listed below: • Property: uids_to_ignore User IDs in this list allow those users to log in, log out and use the su command without generating an alert. • Property: uids_to_monitor Alerts are generated when the user IDs in this list log in, log out or use the su command if the corresponding monitor_*_flag is set to 1.
Templates and Alerts Login/Logout Template Login/Logout Table A-20 lists the alerts that this template generates and forwards to a response program when an a successful login or logout occurs.
Templates and Alerts Login/Logout Template Table A-20 Response Program Argument Login/Logout Alert Properties (Continued) Alert Field Type Alert Field Alert Value/Format Description argv[10] Flag Integer 1 Indicates a login/logout alert versus an su alert argv[11] User String Name of user that logged in or logged out argv[12] Device String Name of pty device associated with login session argv[13] Hostname String Name of remote host from
Templates and Alerts Login/Logout Template Table A-21 Successful su Detected Alert Properties (Continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[5] n/a n/a This field is empty argv[6] n/a n/a This field is empty argv[7] Summary String Successful su session Alert summary argv[8] Details String User switched to user on tty Detailed alert description argv[9] Local Time Integer
Templates and Alerts Login/Logout Template 176 • Because the login name (ut_user in a utmp structure) is not available for a logout event, the template retrieves the login name from the wtmp log. If the log has been cleared, the template creates a logout alert that does not contain the user name, only the device on which the logout occurred. • The template generates alerts for ftp logins without the remote host IP address on 11i V1 unless the wu-ftp 2.6.1 patch is installed.
Templates and Alerts Repeated Failed Logins Template Repeated Failed Logins Template The vulnerability addressed by this template An attacker can gain access to a system by repeatedly attempting to guess the password of an account. How this template addresses the vulnerability The Failed Login template monitors for repeated failed attempts to log in to the system.
Templates and Alerts Repeated Failed Logins Template Failed Login Attempts Table A-23 lists the alerts that this template generates and forwards to a response program when repeated failed logins are detected.
Templates and Alerts Repeated Failed Logins Template Table A-23 Response Program Argument Failed Login Attempts Alert Properties (Continued) (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[12] Device String Name of pty device associated with failed login attempt argv[13] Hostname String Name of remote host from which login was attempted argv[14] IP Address String for IPv4 addresses A:B:C:D:...
Templates and Alerts Repeated Failed su Commands Template Repeated Failed su Commands Template The vulnerability addressed by this template The system su(1) command allows one user to assume the identity of another user by entering that user’s password. An attacker can attempt to gain superuser (root) privileges by running the su command and guessing the superuser password. How this template addresses the vulnerability The template monitors for repeated failed attempts to change user IDs.
Templates and Alerts Repeated Failed su Commands Template Table A-25 Response Program Argument Repeated Failed Su Attempts Alert Properties (Continued) Alert Field Alert Field Type Alert Value/Format Description argv[3] Severity Integer 2 if one of the targets is user root or IDs. 3 otherwise.
Templates and Alerts Template Configuration Syntax Template Configuration Syntax This section describes the syntax used to specify template properties in the ascii version of a schedule (i.e., /var/opt/ids/schedule). The syntax for specifying template property values is also used when entering values in the Schedule Manager window.
Templates and Alerts Template Configuration Syntax — It must consist of a sequence of at most 64 characters, where each character must be in the following set: alphabetic (uppercase or lowercase), numerical (0 to 9), the underscore character (_), and the dash character (-). — Property names are case-insensitive • Each Ni is a particular value for the property-name in a given command line. Property values are separated from property-name and from each other by a pipe character (|).
Templates and Alerts Template Configuration Syntax 184 Appendix A
B Appendix B Automated Response 185
Automated Response Summary Summary This appendix describes how you can use response programs to process alerts automatically according to your installation’s policies. It includes a sample C program, several sample response scripts, and information about a prepackaged response program that communicates with HP OpenView VantagePoint Operations.
Automated Response Introduction Introduction The automated alert response feature of HP-UX HIDS is a powerful tool. Response programs allow you to automatically capture alerts as they are generated by the HP-UX HIDS agent and to use your own tools to process them and make decisions, such as alerting a system administrator about a potential intrusion.
Automated Response Introduction If business continuity is important then the machine must be restored to a known safe state. If critical files have been modified then they can be restored from trusted read-only media. See examples in “Restoration of a known “good” state” on page 207.
Automated Response How Automated Response Works in HP-UX HIDS How Automated Response Works in HP-UX HIDS The Alert Process When the agent generates an alert, 1. The agent stores the alert in a local log file whose pathname is defined by the IDS_ALERTFILE configuration variable (default is /var/opt/ids/alert.log). See “The Agent Configuration File” on page 217. 2. If it is communicating with the System Manager, the agent sends the alert to the System Manager. 3.
Automated Response How Automated Response Works in HP-UX HIDS 2. Your program is detached from a controlling terminal and runs as a background process. Standard output and standard error are both redirected to the error log file, as defined by the IDS_ERRORFILE configuration variable (the default is /var/opt/ids/error.log.) 3. If you need to transmit your alert information to another system, you may need to set up your own secure communication process. 4.
Automated Response How Automated Response Works in HP-UX HIDS Table B-1 Response Program Argument Additional Arguments Passed to Response Programs (Continued) Alert Field Alert Field Type Alert Value/For mat Description argv[20] Target File Owner Integer Owner of file (uid) under attack argv[21] Target File Group Integer Group of file (gid) under attack. argv[22] Target File Inode Integer Inode number of file under attack.
Automated Response How Automated Response Works in HP-UX HIDS Table B-1 Response Program Argument Additional Arguments Passed to Response Programs (Continued) Alert Field Alert Field Type Alert Value/For mat Description argv[33] Attacker pseudo-tty String Name of pty on which attacker is connected to (for example, pts/ta). Set to empty string if not known. argv[34] Attacker hostname String Full hostname of remote host from where the attacker logged in.
Automated Response How Automated Response Works in HP-UX HIDS Table B-2 Response Program Argument Additional Arguments Passed to Response Programs for Race Condition Template Alerts (Continued) Alert Field Alert Value/For mat Alert Data Type Description argv[42] Attacked Program Device Integer Device number of program under attack argv[43] Attacked Program Number of Arguments Integer Number of arguments passed to program under attack (e.g., argc).
Automated Response Programming Guidelines Programming Guidelines Writing Perl vs. Shell Response Scripts Perl itself is not privileged, but, when a Perl script is run by a privileged user (as it often is), care must be taken to make sure that the script is secure. It is far easier to write an insecure script in Perl compared to a shell (POSIX, Korn, C, etc.).
Automated Response Programming Guidelines This program should only run with a privileged effective uid when performing an operation that requires privilege and should run with the nonprivileged ids uid as the effective uid at all other times, a method called “privilege bracketing”. See the setresuid (2) manpage for how to toggle the effective uid.
Automated Response Programming Guidelines then # and if the target of the attack is the password file if [ ${17} = “/etc/passwd” ]; then # obtain the process id from the alert pid=${11} echo “Critical intrusion: halting process ${pid} running ${24} that m odified /etc/passwd” | /usr/bin/mailx -s “$7” ${RECIPIENT} # Invoke setuid-root program to kill process instead # of using a setuid-root script which is susceptible to # race condition attacks.
Automated Response Programming Guidelines int pid; /* Turn off root privilege but save euid */ if( setresuid(-1, getuid(), geteuid()) == -1) { perror(“setresuid”); exit(1); } /* Determine if a file modification alert */ if (atoi(argv[1]) == 2) { /* Determine if the target of the attack is /etc/passwd */ if (strcmp(argv[17],”/etc/passwd”) == 0) { /* Obtain process id */ pid = atoi(argv[11]); if (pid < 0) { fprintf(stderr,”Unknown process modified /etc/passwd\n”,pid); exit(1); } fprintf(stderr,”Process %d ru
Automated Response Programming Guidelines Solution C /opt/ids/response/privC A setuid-root program with mode 4550 and owned by root:ids /opt/ids/response/misc A directory with mode 500 and owned by ids:ids. /opt/ids/response/misc/scriptC.sh A non-setuid script with mode 500 and owned by ids:ids NOTE You must make sure you do not create a privC program to allow the execution of any executable with euid root! The path names of the scripts must be hardcoded in privC.c.
Automated Response Programming Guidelines fi # Exit with no error exit 0 Appendix B 199
Automated Response Sample Response Programs Sample Response Programs The following sections contain examples of C and shell script response programs. Sample C Language Program Source Code This is sample C language source code for a response program. It is distributed in /opt/ids/share/examples/ids_alertResponse.c. Modify the source code below to take appropriate action in response to intrusions. This source code can be compiled with your standard C compiler.
Automated Response Sample Response Programs Forwarding Information Sending an E-mail HP-UX HIDS logs alerts to a file on the local system and sends the alert information to the HP-UX HIDS System Manager. Alert information can also be sent via e-mail, as demonstrated in this script.
Automated Response Sample Response Programs Logging to a central syslog server While the HP-UX HIDS System Manager provides a centralized location for alerts, you may also want to log alerts to a syslog server. This short script shows how this can be done.
Automated Response Sample Response Programs Halting any further attacks Disabling a user's account If a particular user account is generating many alerts, it may be necessary to disable further logins on that account. This script shows how to achieve that. IMPORTANT This script requires privilege and should not be installed as a setuid privileged script. This script is for illustration purposes only.
Automated Response Sample Response Programs Disable remote networking If you have determined that an intrusion is originating from a remote location, this script will disable networking on the system. IMPORTANT This script requires privilege and should not be installed as a setuid privileged script. This script is for illustration purposes only. Please refer to “Writing Privileged Response Programs” on page 194 for help on how to safely write a privileged response program.
Automated Response Sample Response Programs Preservation of evidence NOTE Consult your local legal counsel to determine what steps must be taken to preserve evidence for use in court. The example scripts presented below do not meet the legal requirements for preservation of evidence. Putting a process to sleep It may be necessary to preserve the evidence of an intrusion for later analysis. In this example, a process which has caused an alert will be stopped.
Automated Response Sample Response Programs Snapshot of critical system state Extending the previous example, this script will take a snapshot of critical system state information that can be used for later analysis: • currently executing process list • who is logged into the system • a record of login/logout attempts • a list of active network connections #!/usr/bin/sh # # Sample HP-UX HIDS alert response script # # Take a snapshot of the important system state information when # the intrusion occu
Automated Response Sample Response Programs Restoration of a known “good” state Restoring “safe” copies of files Intruders will often replace key system configuration files during an attack. This sample script shows how to replace those files with clean versions that are mounted on a CDROM drive. We assume that the CDROM is mounted on /cdrom. IMPORTANT This script requires privilege and should not be installed as a setuid privileged script. This script is for illustration purposes only.
Automated Response HP OpenView Operations SMART Plug-In HP OpenView Operations SMART Plug-In For customers of HP OpenView Operations (OVO), a SMART Plug-In — OVO HPUX_HIDS-SPI — is available. By relaying messages from the HP-UX HIDS agent to the OVO message interceptor residing on the same host, HP-UX HIDS gives you the ability to manage HP-UX HIDS alerts directly from the OpenView management server.
C Appendix C The idsagent Command 209
The idsagent Command Summary Summary This appendix covers: • 210 “The idsagent Command” on page 211.
The idsagent Command The idsagent Command The idsagent Command idsagent starts the HP-UX HIDS agent software on the agent system. See idsagent (1M). CAUTION It is strongly urged that you do not use the debugging options (-c, -d, -e, -l, and -p) except for testing and debugging. In normal operation, the debugging options will degrade the performance of the HP-UX HIDS agent software.
The idsagent Command The idsagent Command Error messages are written to the error log file, as defined in the configuration parameter IDS_ERRORFILE. The messages in the IDS_ERRORFILE file are also sent to the HP-UX HIDS System Manager, idsgui, if it is running on the administration system. If the -d and -l options are also specified, the error messages are also written to the debug log file. By default, IDS_ERROR_FILE is set to /var/opt/ids/error.log. See “Global Configuration” on page 220 and ids.cf (5).
D Appendix D The idsadmin Command 213
The idsadmin Command Summary Summary This appendix covers: • 214 “The idsadmin Command” on page 215.
The idsadmin Command The idsadmin Command The idsadmin Command idsadmin is an IDS command-line administration tool that provides a command prompt for you to send commands to an idsagent process. In addition, you can receive alerts and error messages from the agent. See idsadmin (1M). idsadmin assumes that the steps described in IDS_genAdminKeys (1M), IDS_genAgentCerts (1M), and IDS_importAgentKeys (1M) have been followed to correctly generate certificates for secure communication.
The idsadmin Command The idsadmin Command Specify the host name or IP address of the local host where idsadmin should accept connections from the agent. By default, the local host name is used. Use this option if the local host is multihomed (has two or more IP addresses). -l alert/error-filename Specify the path name of a file to store alert and error messages sent by the agent. If the file already exists, idsadmin appends to it.
E Appendix E The Agent Configuration File 217
The Agent Configuration File Summary Summary This appendix describes the user-configurable options that can be modified in the HP-UX HIDS agent configuration file, which is located in /etc/opt/ids/ids.cf.
The Agent Configuration File The Agent Configuration File The Agent Configuration File The HP-UX HIDS agent requires a configuration file named ids.cf, located in the directory /etc/opt/ids, which describes the location of various required binaries, and also stores some detection template specific data. See ids.cf (5). IDS users are strongly discouraged from editing the configuration file (except as explicitly directed), as it may cause failure of the IDS agent software.
The Agent Configuration File Global Configuration Global Configuration The Global section is bracketed by the [global]...[END] keywords. Only the parameters in Table E-1 may be edited. CAUTION Do not edit any other variables between [global] and its [END] tag. Table E-1 Global Configuration Variables Name Default Value IDS_ALERTFILE /var/opt/ids/alert.log IDS_ERRORFILE /var/opt/ids/error.
The Agent Configuration File Correlator Process Configuration Correlator Process Configuration In the section beginning with [Correlator] NAME idscor only the parameters in Table E-2 may be edited. CAUTION Do not edit any other variables between [Correlator] NAME and its [END] tag. Table E-2 Correlator idscor Parameters Name NICE_PRIORITY_CHANGE Default Value -10 NICE_PRIORITY_CHANGE The change in nice value to apply to the idscor correlator process. The range is -20 (for maximum priority) to 20.
The Agent Configuration File Data Source Process Configuration Data Source Process Configuration There is a configuration entry for each data source process. Each entry is surrounded by [DSP] and [END] tags. The first entry, for the system log DSP which monitors various system log files, has no modifiable parameters. The second entry is for the kernel audit data DSP. CAUTION Do not edit any variables in the system log DSP section (between [DSP] NAME idskernDSP and its [END] tag).
The Agent Configuration File Data Source Process Configuration Controls how the kernel will act if idsagent cannot keep up with the rate of data generated.
The Agent Configuration File Remote Communication Configuration Remote Communication Configuration The remote communication configuration section lies between the [RemoteSA] and [END] tags. Only the parameters in Table E-4 may be edited. CAUTION Do not edit any other variables between [RemoteSA] and its [END] tag.
The Agent Configuration File Remote Communication Configuration administration system. An IP address is specified in dotted decimal notation. If the INTERFACE variable is set in idsgui, REMOTEHOST should have the same value.
The Agent Configuration File Remote Communication Configuration 226 Appendix E
F Appendix F Messages 227
Messages Summary Summary This appendix describes the error and other messages that may be produced by the Agent and System Manager programs.
Messages Agent Messages Agent Messages NOTE These messages are produced by the agent processes. If you see a message that is not described and you cannot resolve, contact HP support. idsagent: another idsagent (PID:pid) process is running Or a stale lockfile /var/opt/ids/idsagent.pid exists Remove it and attempt to restart - exiting ❏ Meaning: You attempted to start idsagent and it is already running. Or idsagent halted abnormally, leaving the lock file in place.
Messages Agent Messages ❏ Action: Verify that the file exists; that it is owned by user:group ids:ids; and that it is readable by user ids. idsagent: failed to initialize configuration module ❏ Meaning: An error occurred while parsing the ids.cf configuration file. The SSL certificates may not have been created properly, meaning that the REMOTEHOST parameter my not be valid in ids.cf. ❏ Action: Check accompanying error messages and correct the problem.
Messages Agent Messages ❏ Action: Contact HP support. idsagent: unable to setup SIGCHLD signal handler ❏ Meaning: An internal error has occurred in handling signals. ❏ Action: Contact HP support. idsagent: unable to setup SIGHUP signal handler ❏ Meaning: An internal error has occurred in handling signals. ❏ Action: Contact HP support. idsagent: unable to setup signal handler ❏ Meaning: An internal error has occurred in handling signals. ❏ Action: Contact HP support.
Messages Agent Messages ❏ Action: Verify that the log file is owned by user:group ids:ids; that the ids user has read and write permissions on the file; and that its parent directory has read and write permissions. idsagent: DSP type dsp required by template template not found ❏ Meaning: Template template requires a data source dsp that is not supported by this version of HP-UX HIDS. ❏ Action: Ensure that you have installed the latest version of the HP-UX HIDS product.
Messages Agent Messages idsagent: failed to initialize schedule ❏ Meaning: An internal error occurred in parsing and initializing the surveillance schedule. ❏ Action: Contact HP support. idsagent: failed to initialize schedule in crontab ❏ Meaning: idsagent was unable to create a set of crontab entries for user ids to manage schedule execution. ❏ Action: Verify that the user ids is present in the /var/adm/cron/cron.allow file.
Messages Agent Messages ❏ Meaning: The system does not have enough disk space to create the interprocess communication files in /var/opt/ids. HP-UX HIDS uses memory-mapped files, each of size 20 MB. ❏ Action: Ensure that there is at least 20 MB of free disk space in the /var partition. You can remove any lingering files with names in the form /var/opt/ids/ids_10*. idsagent: not enough disk space to create schedule ❏ Meaning: The /var partition is full and the idsagent cannot save the schedule to disk.
Messages Agent Messages ❏ Meaning: This is not a valid address or name for this host. This host name does not resolve to a unique network address. idsagent does not know which network interface to listen on. ❏ Action: Change the IDS_LISTEN_IFACE parameter in the [global] section of the configuration file to a valid address or name for this host.
Messages System Manager Messages System Manager Messages NOTE These messages are produced by the System Manager process. If you see a message that is not described and you cannot resolve, contact HP support. All Surveillance Schedules must be stopped prior to loading a Host List File - Program State Error. ❏ Meaning: Before loading the previously saved list of hosts, all surveillance schedules must be stopped.
Messages System Manager Messages I/O Exception while opening file: filename - File Save Error. ❏ Meaning: The application was unable to open the specified file. ❏ Action: In order to Activate a Surveillance Schedule, selected hosts must have a status of Ready, Scheduled, or Running. ❏ Meaning: The host was in an invalid state for the selected action. ❏ Action: Before activating a surveillance schedule, ensure that the selected hosts are in ready, scheduled, or running state.
Messages System Manager Messages ❏ Action: Two hosts cannot have the same IP addresses. All hosts must have unique IP addresses. No Host selected. A Host must be selected for editing - Host Selection Error. ❏ Meaning: You attempted to edit host information without selecting a host. ❏ Action: Before editing host information, a host must be selected. No host selected. At least one host must be selected - Host Selection Error.
Messages System Manager Messages ❏ Meaning: Only schedules associated with a node can be stopped. No node was selected. ❏ Action: Select a node before stopping the schedule. Select a Surveillance Schedule to Activate. ❏ Meaning: A schedule must be selected before the activate action is performed. ❏ Action: Select a surveillance schedule, before attempting to perform the activation function. Select Surveillance Group Name to delete - Selection Error.
Messages System Manager Messages ❏ Meaning: The application was unable to retrieve the surveillance schedule you selected. ❏ Action: A read action has occurred while retrieving a surveillance schedule. Contact HP support. Surveillance Schedule not selected - Schedule Selection Error. ❏ Meaning: A surveillance schedule was not properly selected for a given operation. ❏ Action: Before performing any action on a surveillance schedule, one must be properly selected.
Messages System Manager Messages ❏ Action: An error occurred during the save operation. Please ensure the availability of sufficient disk space. Unknown Host - unable to resolve IP Address IPaddress. ❏ Meaning: The host name for the agent that you tried to add could not be resolved. ❏ Action: Check the host name of the host. Unknown IP Address - unable to resolve Host Name Appendix F ❏ Meaning: The IP address of the host, which you tried to add, could not be resolved.
Messages System Manager Messages 242 Appendix F
G Appendix G Troubleshooting 243
Troubleshooting Summary Summary This appendix describes various steps you can take in resolving problems on the agent and administrative systems.
Troubleshooting Summary Appendix G • “System Manager times out on agent functions such as Activate and Status Poll” on page 255 • “UNKNOWN program and arguments in certain alert messages” on page 255 • “Using HP-UX HIDS with IPFilter and SecureShell” on page 255 245
Troubleshooting Troubleshooting Troubleshooting This section describes a variety of potential problems and their solutions. To stay current with product updates and patches, be sure to monitor the HP security software news and events web site at www.hp.com/security. Agent and System Manager cannot communicate with each other (No errors are being generated by the HP-UX HIDS processes and everything seems to be running fine otherwise.) See also “No Agent Available” on page 252.
Troubleshooting Troubleshooting Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present ❏ If your lsdev result shows /dev/idds is present, and yet the idsagent debug-enabled log file (run with /opt/ids/bin/idsagent -d -l log_file_name) complains about idds not being enabled, it is probable that there is an installation or kernel-build error.
Troubleshooting Troubleshooting Agent halts abnormally, leaving ids_* files and message queues ❏ If a running agent was not halted as described in “Halting HP-UX HIDS Agents” on page 53 (for example, the agent was stopped with kill -9), then you need to clean up the message queues, which the agent uses for interprocess communication (IPC). This is important because the kernel has a limited number of message queues that IDS and other applications need in order to run.
Troubleshooting Troubleshooting • ❏ /opt/ids/bin/idsagent -d -e -l /var/log/idslog The debug information can be found in the following files: • /var/log/idslog • /var/log/idslog_idskerndsp • /var/log/idslog_idssysdsp • /var/log/idslog_idscor Agent does not start after installation ❏ Verify that there are no errors from the install: /var/adm/sw/swagent.log ❏ Be sure the product has been run as user ids. (No other user will work.
Troubleshooting Troubleshooting ❏ Determine whether any changes have been made to the detection templates, which may filter out the alerts (such as ignoring whole directories or users). ❏ If no login/logout alerts are seen, /var/adm/wtmp might be corrupted. To check, run the last command and see if it prints an error or segmentation faults.
Troubleshooting Troubleshooting Enter command>>ping Wed Nov 24 20:53:23 2004: libcomm: pid=14582 thread_id=1:open_connection: Handshake error (ssl_err=1,ret=0) as client 1:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 Wed Nov 24 20:53:23 2004: libcomm: pid=14582 thread_id=1: write_msg: error opening connection to remote host, errno=607:Error during SSL handshake.
Troubleshooting Troubleshooting Starting the HP-UX HIDS System Manager in the background Please wait.... In either case, you can try running the command again. The solution is to apply the latest Software Distributor (SD) Cumulative Patch. For 11i and 11i version 1.6, install PHCO_25887 or a superseding patch, if any.
Troubleshooting Troubleshooting — On the administration system, run the script /opt/ids/bin/IDS_checkAdminCert. If the certificate has expired, rerun /opt/ids/bin/IDS_genAdminKeys with the update parameter. See “Setting Up the HP-UX HIDS Secure Communications” on page 20. — On the agent system, run the script /opt/ids/bin/IDS_checkAgentCert. If the certificate has expired, rerun /opt/ids/bin/IDS_genAgentCerts for the agent on the administration system.
Troubleshooting Troubleshooting Schedule Manager timetable screen appears to hang ❏ The visual refresh of the day, time, and surveillance group matrix (which the System Manager maintains in the Schedule Manager timetable screen) is CPU intensive and hence may appear to be slow on some systems. SSH does not perform a clean exit after idsgent is started After starting idsagent from a ssh login, logging out of the agent system results in the ssh session hanging indefinitely.
Troubleshooting Troubleshooting System Manager starts with no borders or title bar in X client programs on Windows ❏ This sometimes happens when Reflection X (or other X client programs on Microsoft Windows) has been running for a while. Quit, restart the program, relogin to your HP-UX HIDS administration system, and restart the System Manager. If the problem persists, contact HP support.
Troubleshooting Troubleshooting IPFilter rules for HP-UX HIDS This is a sample set of IPFilter rules needed to enable HP-UX HIDS. If you use a firewall other than IPFilter, the explanation presented here should give you enough pointers to set up your own firewall rules. 1. HP-UX HIDS agent listens on port hpidsagent (2985) for incoming connections initiated by HP-UX HIDS System Manager on a remote host.
Troubleshooting Troubleshooting # su ids $ echo $DISPLAY x.x.x.x:10.0 NOTE x.x.x.x stands for the IP address of the host. :10.0 is an automatic result of X11 forwarding being enabled in ssh. You should not manually set DISPLAY to :10.0. $ ./idsgui Unable to display the GUI on x.x.x.x:10.0 Please check the value of the environment variable DISPLAY and verify that this machine is authorized to connect to that display.
Troubleshooting Troubleshooting remotesys:10 MIT-MAGIC-COOKIE-1 9533074095e317c40503821e41839941 remotesys:11 MIT-MAGIC-COOKIE-1 313a43a83192f719535e5b054fc26ac5 remotesys:12 MIT-MAGIC-COOKIE-1 2b4c68632e0310c2867e42c649f3d9f6 xauth> exit # su ids $ echo $DISPLAY x.x.x.x:10.0 $ echo $HOME $ export HOME=/home/ids (this is necessary for xauth to work) $ /usr/bin/X11/xauth Using authority file /home/ids/.
H Appendix H HP Software License 259
HP Software License Attention Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
HP Software License Attention * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ‘‘AS IS’’ AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED.
HP Software License Attention * The word ’cryptographic’ can be left out if the rouines from the libra ry * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) fro m * the apps directory (application code) you must include an * acknowledgement: * "This product includes software written by Tim Hudson * (tjh@cryptsoft.
HP Software License HP Software License Terms HP Software License Terms The following License Terms govern your use of the accompanying Software. License Grant. HP grants you a license to Use one copy of the Software. "Use" means storing, loading, installing, executing or displaying the Software. You maynot modify the Software or disable any licensing or control features of the Software.
HP Software License HP Software License Terms Disclaimer. TO THE EXTENT ALLOWED BY LOCAL LAW, THE SOFTWARE IS PROVIDED TO YOU "AS IS" AND WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, EXPRESS OR IMPLIED. HP SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF A THIRD PARTY’S INTELLECTUAL PROPERTY. Applicable law may not allow the exclusion of implied warranties, so the above exclusion may not apply to you.
