Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

261

262

263

264

265

266

267

268

269

270

Troubleshooting

Appendix G

253

— On the administration system, run the script

/opt/ids/bin/IDS_checkAdminCert. If the certiﬁcate has expired, rerun

/opt/ids/bin/IDS_genAdminKeys with the update parameter. See “Setting

Up the HP-UX HIDS Secure Communications” on page 20.

— On the agent system, run the script /opt/ids/bin/IDS_checkAgentCert.If

the certiﬁcate has expired, rerun /opt/ids/bin/IDS_genAgentCerts for the

agent on the administration system. Then reimport the certiﬁcates on the

agent system with /opt/ids/bin/IDS_importAgentKeys. See “Setting Up

the HP-UX HIDS Secure Communications” on page 20 .

Normal operation of an application generates heavy volume of

alerts

❏ To avoid becoming overwhelmed with unnecessary alert generation, you will need to

customize the detection templates to meet the needs of your particular environment.

If you have an application that generates a heavy volume of alerts during its normal

mode of operation, you can reduce this occurrence by entering additional ﬁltering

into the necessary detection templates (most offer mechanisms by which these

spurious alerts can be suppressed).

❏ For example, a system with the Resource Management subsystem might trigger a

heavy volume of alerts since it frequently updates some ﬁles in /etc/opt/resmon.

You can go to the Schedule Manager and modify the “Modiﬁcation of

ﬁles/directories” template to have it ignore the /etc/opt/resmon directory. (This

ﬁltering is provided by default in HP-UX HIDS version 2.2.)

❏ See “Suggested Best Practices” on page 73.

Reﬂection X rlogin produces multiple login and logout alerts

When logging in using rlogin within Reﬂection X, the login/logout template will report

two login alerts followed immediately by a logout alert. This is expected behaviour and

reﬂects how Reﬂection X immediately terminates a login session after bringing up a

remote window.

Response Program gets an empty host name and/or IP address on

11iv1

On 11i v1, the response program arguments that contain the value of the remote host

name and IP address of the attacker (see Appendix B, Table B-1 on page 190) can be

empty due to corrupt wtmp ﬁle. To verify if wtmp is corrupt, run the last command. If

the last command gets a segmentation violation, then wtmp is corrupt. To recreate

wtmp, execute the following commands as root:

• # rm -f /var/tmp/wtmp

• # touch /var/tmp/wtmp

• # chown adm:adm /var/tmp/wtmp

• #chmod 644 /var/tmp/wtmp