Host Intrusion Detection System Release 3.0 Release Notes

Manuals Brands HP Manuals Software HP-UX Host Intrusion Detection System Software

HP-UX Host Intrusion Detection System

Release 3.0 Release Notes

HP-UX 11i v2, 11i v1.6, and 11i v1

Manufacturing Part Number : J5083-90015

November 2004

Printed in U.S.A

Summary of content (44 pages)

PAGE 1

HP-UX Host Intrusion Detection System Release 3.0 Release Notes HP-UX 11i v2, 11i v1.6, and 11i v1 Manufacturing Part Number : J5083-90015 November 2004 Printed in U.S.A © Copyright 2004 Hewlett-Packard Development Company L.P.
PAGE 2

Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
PAGE 3

Trademarks UNIX is a registered trademark of The Open Group. Java is a US trademark of Sun Microsystems, Inc. MS-DOS and Microsoft are U.S. registered trademarks of Microsoft Corporation. OSF/Motif is a trademark of The Open Group. X Window System is a trademark of The Open Group. Revision History This document’s printing date and part number indicate its edition. The printing date changes when a new edition is printed.
PAGE 4

Conventions We use the following typographical conventions. audit (5) An HP-UX manpage. audit is the name and 5 is the section in the HP-UX Reference. On the web and on the Instant Information CD, it may be a hot link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5 audit” to view the manpage. See man (1). Book Title The title of a book. On the web and on the Instant Information CD, it may be a hot link to the book itself. KeyCap The name of a keyboard key.
PAGE 5

Contents 1. Announcement New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 What’s New in Release 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Compatibility with Previous Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Compatibility with Other Products . . . . . . . . .
PAGE 6

Contents A. HP Software License Attention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LICENSE ISSUES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OpenSSL License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Original SSLeay License . .
PAGE 7

1 Announcement The HP-UX Host Intrusion Detection System Release 3.0 Release Notes describes the new features, fixes, limitations, and known issues in the HP-UX Host Intrusion Detection System (HP-UX HIDS) Release 3.0. HP-UX HIDS Release 3.0 is a major product release, which provides improved product performance and incorporates several usability enhancements.
PAGE 8

Announcement New and Changed Features New and Changed Features HP-UX HIDS Release 3.0 runs on HP-UX 11i v2, 11i v1.6, and 11i v1. It is available in the installation bundles for HP-UX 11i v2, in the Operating Environment bundles for HP-UX 11i v1, in the Application Releases, and from the HP Software Depot. In this document, “11i” unqualified encompasses all the supported 11i versions. What’s New in Release 3.
PAGE 9

Announcement New and Changed Features System Manager and the adminSchedConvert migration tool (see “The adminSchedConvert Migration Tool” on page 31) to convert text schedule files used by the idsadmin command.. HP recommends that you upgrade all systems to Release 3.0. NOTE You cannot directly migrate HP-UX HIDS Release 1.0 schedules to HP-UX HIDS Release 3.0 schedules. You must first migrate to HP-UX HIDS Release 2.2 schedules and then migrate to HP-UX HIDS Release 3.0 schedules.
PAGE 10

Announcement What Is HP-UX HIDS? What Is HP-UX HIDS? HP-UX HIDS is a host-based HP-UX security product for HP computers running HP-UX 11i. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts. Since there are many types of attacks that can bypass network-based detection systems, HP-UX HIDS complements existing network-based security mechanisms, bolstering enterprise security.
PAGE 11

Announcement Benefits Benefits • HP-UX HIDS is an HP-UX intrusion detection product that can enhance local host-level security within your network. It does this by automatically monitoring each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If successful, such intrusions can lead to the loss of availability of key systems or compromise system integrity.
PAGE 12

Announcement Documentation Documentation HP-UX HIDS documentation includes Manuals, Manpages, information on the HP OpenView SMART Plug-In, an IDS Mailing List, and the ITRC Security Forum. Manuals The following documents are available at the HP Technical Documentation website in the Internet and Security Solutions collection, http://docs.hp.com/hpux/internet, and on the Instant Information CD in the Internet and Security Solutions collection. HP Part No.
PAGE 13

Announcement Documentation IDS Mailing List To receive the latest news about HP-UX HIDS, send an e-mail message to majordomo@hpuxmail.cup.hp.com. The body of the message should contain only: subscribe ids9000-news This address is for subscription requests only; do not send product questions or other inquiries. To unsubscribe, send the message: unsubscribe ids9000-news ITRC Security Forum Get help from your peers in the HP Information Technology Resource Center (ITRC) security forum.
PAGE 14

Announcement Known Problems, Limitations, and Fixes Known Problems, Limitations, and Fixes For a current and complete list of HP-UX HIDS problems and their fixes, see the Technical Knowledge Database on the HP IT Resource Center websites: http://us-support.external.hp.com for Americas/Asia-Pacific customers http://europe-support.external.hp.com for European customers The Technical Knowledge Database is available to customers with support contracts.
PAGE 15

Announcement Known Problems, Limitations, and Fixes Problem: The Creation of Setuid File template creates an alert with the wrong severity level When an empty setuid file is created using the mknod() system call, the setuid template incorrectly reports an alert with severity 3 instead of severity 1.
PAGE 16

Announcement Known Problems, Limitations, and Fixes • Regular expressions that contain escaped square bracket ([ or ]), or angle bracket (< or >) characters. • Regular expressions that contain special patterns, such as ~~, <@>. • Regular expressions that contain the expression group [....], the OR operator with the expression group [...|...], or the NOT operator with the regular expression .~~

PAGE 17

Announcement Known Problems, Limitations, and Fixes Fixes: Enhanced Default Tuning of Templates to Improve Alert Reduction All product templates have been rewritten and fine-tuned to detect intrusions resulting in the consolidation of two templates and introduction of new templates properties.

PAGE 18

Announcement Known Problems, Limitations, and Fixes 12 Chapter 1

PAGE 19

2 Installation IMPORTANT Read this entire chapter before installing, or updating to, HP-UX HIDS release 3.0.

PAGE 20

Installation Introduction Introduction Release 3.0 of HP-UX HIDS is available from three sources. • As a depot directory on the server Operating Environment media, beginning with HP-UX 11i v2 and OEUR 2005 (HP-UX 11i v1). HP-UX HIDS is a selectable product on the OE media, and you may install it at system install/update time, or at a later time using these instructions. • As a depot directory on an Application Release CD, beginning with 2005 (HP-UX 11i).

PAGE 21

Installation Introduction Table 2-2 Software to Install (Continued) Software IDS-KERN Chapter 2 Evaluation or Dual System YES Agent System YES Administration System NO 15

PAGE 22

Installation Installation Summary Installation Summary IMPORTANT Read this entire chapter before installing, or updating to, HP-UX HIDS, release 3.0. The sections that follow provide step-by-step instructions for updating to or cold-installing HP-UX HIDS release 3.0. This section provides a summary of the tasks. In addition to these Release Notes, you will need the HP-UX Host Intrusion Detection System Administrator’s Guide Software Release 3.0 for information on configuration and initial startup.

PAGE 23

Installation Hardware and Software Requirements Hardware and Software Requirements Check that your systems meet the requirements for installing HP-UX HIDS. Administration and Agent Systems For each administration and agent system: • You must be running HP-UX 11i v1, 11i v1.6, or 11i v2. To check, enter: uname -r It will display B.11.11, B.11.22, or B.11.23, respectively. • The system must be at least a PA-RISC system for HP-UX 11i v1 or Itanium-based for HP-UX 11i v1.6 and 11i v2.

PAGE 24

Installation When Updating from Release 2.x When Updating from Release 2.x HP-UX HIDS software release 3.0 is not backward compatible with any 2.x releases. The Release 3.0 system manager cannot manage Release 2.x agents and vice versa. Release 2.x communication keys and certificates are recognized and valid in Release 3.0 and new keys and certificates need not be generated after migrating to Release 3.0.

PAGE 25

Installation Pre-Installation Pre-Installation HP recommends that you stop the idsagent before upgrading to HP-UX HIDS Release 3.0. IMPORTANT Chapter 2 We recommend that you make a full backup of all administration and agent systems before you install HP-UX HIDS. Installation on agent systems requires a kernel rebuild (automatic) and reboot.

PAGE 26

Installation Making Depots Making Depots It is a good idea to gather the various pieces of software into depots that you can use with the swinstall command. These instructions tell you how to prepare three combination depots. You will need at most three of them: one administration depot and one or two agent depots. The three depots are described in Table 2-3.

PAGE 27

Installation Making Depots NOTE If you have installed any software updates, some of these patches may already be present on your systems. You can first install the HP-UX HIDS software and run the /opt/ids/bin/IDS_checkInstall command to check the patches that you do not need to download. If you attempt to install a patch that is already there, the swinstall command will note that fact and just install the other patches. Step 1.

PAGE 28

Installation Making Depots Patches Required for HP-UX 11i The patch listed in Table 2-4 must be installed on all HP-UX 11i v1 (PA) systems that will run the HP-UX HIDS agent software NOTE These patches are necessary for HP-UX 11i v1 (PA systems). It does not apply to HP-UX 11i v.1.6 or 11i v2 (Itanium-based systems). You must install all the patches before or at the same time you install HP-UX HIDS on HP-UX 11iv1.

PAGE 29

Installation Making Depots Get the HP-UX HIDS Product HP-UX HIDS release 3.0 for HP-UX 11i is available online from the HP Software Depot as of December 2004, as well as various Application Release and Operating Environment media updates starting in 2005. From the HP-UX 11i v2 System Release See the HP-UX 11i Version 2 Installation and Update Guide for information on installing HP-UX HIDS with a system installation or update.

PAGE 30

Installation Making Depots a. Locate the HP-UX 11i Application Release CD or HP-UX 11i Operating Environment CD that contains the HPUX-HIDS product bundle and load it into your CD reader. We’ll assume it’s mounted on /SD_CDROM. b. 11i Agent Depot If any of your agent systems is running HP-UX 11i, copy the 11i IDS-KERN product and IDS agent subproducts into the ids_11i_agent depot: # swcopy -s /var/tmp/idsprod/HPUX-HIDS_11i.depot IDS-KERN IDS.IDS-AGT-RUN \ IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent c.

PAGE 31

Installation Making Depots Get Patches for Java Step 1. Log in as superuser (root) on the depot system; see “Create the Depot Directory” on page 20. Step 2. Create a directory where you can save the patches and make a depot. We’ll use /var/tmp/javapatch. Step 3. Open the HP Java web site http://www.hp.com/go/java, Step 4. Click on the link patches. Step 5. Take note of the list of patches that you need, based on your administration system; that is, the HP-UX 11i set. Step 6.

PAGE 32

Installation Making Depots Step 5. Choose the SDK or RTE 1.3.1 version. Step 6. Using the instructions on the web site, download the software, for example, to /var/tmp/sdk_13101os11.depot. Step 7. Transfer the software to the administration depot using one of the following steps. a. 11i Admin Depot If your administration system is running HP-UX 11i and will not be running an agent, copy the 11i Java software into the ids_11i_admin depot: # swcopy -s /var/tmp/sdk_13101os11.

PAGE 33

Installation Making Depots IMPORTANT You cannot install OpenSSL A.00.09.07-d on a system containing the Internet Express OpenSSL 0.9.7c software. If the Internet Express OpenSSL 0.9.7c software is installed on your system, you must remove the Internet Express OpenSSL 0.9.7c software before installing OpenSSL A.00.09.07-d. On HP-UX 11i v1 systems that do not contain the /dev/random file, OpenSSL automatically uses prngd to generate random numbers.

PAGE 34

Installation Installing the Depots Installing the Depots CAUTION If you choose to not follow the installation instructions in this section, it is vitally important that you install the required kernel patches before you install the HP-UX HIDS software. Do not reinstall any patches without consulting HP Support first. NOTE In the commands below, swinstall will not reinstall any patches or software that are already installed. You can ignore messages to that regard.

PAGE 35

Installation Installing the Depots Will Installing HP-UX HIDS Release 3.0 Reboot My Agent System? The installation scripts for HP-UX HIDS try to avoid unnecessary system reboots. However, in some circumstances, a system reboot may be required. Those circumstances are (in order of priority): 1. If the Reinstall Filesets option is selected in the graphical interface to swinstall, all HP-UX HIDS filesets will be installed, and a system reboot will occur. 2.

PAGE 36

Installation Post-Installation Post-Installation • When an agent system reboots after an upgrade from HP-UX HIDS version 2.x to version 3.0, the “HP-UX Startup in progress” list should display “OK” for the “Starting HP-UX HIDS agent” entry. • When an agent system reboots after a cold installation, the “HP-UX Startup in progress” list should display “N/A” for the “Starting HP-UX HIDS agent” entry.

PAGE 37

Installation Post-Installation If the schedule fails to be activated successfully after 3.0 conversion, the failure is probably due to the limitation described on p10 with the title “The adminSchedConvert Migration Tool” on page 31. If successful, reset the "File modification template" to its prescanned default and add custom changes to it manually. The adminSchedConvert Migration Tool Delivered as: /opt/ids/bin/adminSchedConvert Usage: /opt/ids/bin/adminSchedConvert [file_1] [file_2] ...

PAGE 38

Installation Configuration Configuration Once you have installed or updated your HP-UX HIDS software, you need to complete the configuration with the required and optional steps that are described in “Chapter 2: Configuration” of HP-UX Host Intrusion Detection System Administrator’s Guide Software Release 3.0. The following is an annotated list of some of the sections in the chapter. Required Before you can run HP-UX HIDS, you must complete the following configuration step.

PAGE 39

A Appendix A HP Software License 33

PAGE 40

HP Software License Attention Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.

PAGE 41

HP Software License Attention * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ‘‘AS IS’’ AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED.

PAGE 42

HP Software License Attention * The word ’cryptographic’ can be left out if the rouines from the libra ry * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) fro m * the apps directory (application code) you must include an * acknowledgement: * "This product includes software written by Tim Hudson * (tjh@cryptsoft.

PAGE 43

HP Software License HP Software License Terms HP Software License Terms The following License Terms govern your use of the accompanying Software. License Grant. HP grants you a license to Use one copy of the Software. "Use" means storing, loading, installing, executing or displaying the Software. You maynot modify the Software or disable any licensing or control features of the Software.

PAGE 44

HP Software License HP Software License Terms Disclaimer. TO THE EXTENT ALLOWED BY LOCAL LAW, THE SOFTWARE IS PROVIDED TO YOU "AS IS" AND WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, EXPRESS OR IMPLIED. HP SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF A THIRD PARTY’S INTELLECTUAL PROPERTY. Applicable law may not allow the exclusion of implied warranties, so the above exclusion may not apply to you.