HP-UX Host Intrusion Detection System Release 3.1 Release Notes HP-UX 11i v2, 11i v1.6, and 11i v1 Manufacturing Part Number: 5991-1161 May 2005 Printed in United States © Copyright 2005 Hewlett-Packard Development Company, L.P.
Legal Notices The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Printed in the US. Confidential computer software. Valid license from HP required for possession, use or copying.
Revision History This document’s printing date and part number indicate its edition. The printing date changes when a new edition is printed. (Minor corrections and updates that are incorporated at reprint do not cause the date to change.) New editions of this manual incorporate all material updated since the previous edition. 5991-1161 May 2005, Software Release 3.1.
J5083-90015 November 2004. Software Release 3.0. J5083-90012 September 2003. Software Release 2.2. J5083-90008 June 2002. Software Release 2.1. J5083-90006 December 2001. Software Release 2.0. J5083-90004 March 2001. Software Release 1.0. Revised. J5083-90002 July 2000. Software Release 1.0. Conventions We use the following typographical conventions: audit (5) An HP-UX manpage. audit is the name and 5 is the section in the HP-UX Reference.
... The preceding element can be repeated an arbitrary number of times. | Separates items in a list of choices.
Announcement 1 Announcement The HP-UX Host Intrusion Detection System Release 3.1 Release Notes describes the feature changes, fixes, limitations, and known issues in the HP-UX Host Intrusion Detection System (HP-UX HIDS) Release 3.1. HP-UX HIDS Release 3.1 is a maintenance product release that mainly provides defect fixes and few enhancements.
Announcement What Is HP-UX HIDS? What Is HP-UX HIDS? HP-UX HIDS is a host-based HP-UX security product for HP computers running HP-UX 11i. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts. Because many types of attacks can bypass network-based detection systems, HP-UX HIDS complements existing network-based security mechanisms, bolstering enterprise security.
Announcement Compatibility with Previous Releases Compatibility with Previous Releases HP-UX HIDS Release 3.1 software is compatible with Release 3.0 and is not backward compatible with Release 2.0, 2.1, 2.2 (collectively referred to as 2.x henceforth) and 1.0. Specifically, HIDS Release 3.1 agents and GUI cannot communicate with 2.x and 1.0 agents and GUI. This means that 2.x and 1.0 agents cannot be managed by the 3.1 system manager GUI, and vice versa. Release 2.
Announcement Compatibility with Other Products Compatibility with Other Products HP-UX HIDS is not compatible with all HP software products (see Table 1-1). Do not run HP-UX HIDS on systems that are running unsupported products (or vice versa). Table 1-1 HP-UX HIDS Product Compatibility Product 10 Supported? HP-UX 11i v2 Yes HP-UX 11i v1.6 Yes HP-UX 11i v1.5 No HP-UX 11i v1 Yes HP-UX 11.0 No HP-UX 10.26 No HP-UX 10.
Announcement Localization Localization The HP-UX HIDS software and documentation are not localized in non-English languages.
Announcement Benefits Benefits The HP-UX HIDS intrusion detection product offers the following benefits: • Automatically monitors each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. • Provides continuous surveillance against the inappropriate system usage that is characteristic of hacker break-in attempts, subversive inside activities, and viruses.
Announcement Documentation Documentation HP-UX HIDS documentation includes manuals, manpages, information on the HP OpenView SMART Plug-In, an IDS Mailing List, and the ITRC Security Forum. Manuals The following documents are available at the HP Technical Documentation Website in the Internet and Security Solutions collection, http://docs.hp.com/hpux/internet, and on the Instant Information CD in the Internet and Security Solutions collection. HP Part No.
Announcement Documentation HP OpenView SMART Plug-In The following document is available at the HP OpenView Web site in the SPI Gallery at http://openview.hp.com/products/spi/index.html. HP Part No.
Announcement Documentation IDS Mailing List To receive the latest news about HP-UX HIDS, send an email message to majordomo@hpuxmail.cup.hp.com. Include only the following line in the body of the message: subscribe ids9000-news This address is for subscription requests only; do not send product questions or other inquiries. To unsubscribe, send the message: unsubscribe ids9000-news ITRC Security Forum Get help from your peers in the HP Information Technology Resource Center (ITRC) Security Forum.
Announcement New and Changed Features New and Changed Features HP-UX HIDS Release 3.1 runs on HP-UX 11i v2, 11i v1.6, and 11i v1. It is available in the installation bundles for HP-UX 11i v2, in the Operating Environment bundles for HP-UX 11i v1, in the Application Releases, and from the HP Software Depot. In this document, “11i” unqualified encompasses all the supported 11i versions. Release 3.1 Highlights HP-UX HIDS Release 3.
Announcement Known Problems, Limitations, and Fixes Known Problems, Limitations, and Fixes For a current and complete list of HP-UX HIDS problems and their fixes, refer to the Technical Knowledge Database on the HP IT Resource Center Websites: http://us-support.external.hp.com for Americas/Asia-Pacific customers http://europe-support.external.hp.com for European customers The Technical Knowledge Database is available to customers with support contracts.
Announcement Known Problems, Limitations, and Fixes Limitations Predefined Schedules and Groups are not Clearly Marked The predefined (read-only) surveillance schedules and groups are not well distinguished in the System Manager screens. You are allowed to modify them for the purpose of creating a new schedule, but you cannot save the modified schedule or group over the original predefined schedule or group.
Announcement Known Problems, Limitations, and Fixes Granularity of sulog Entries You should specify a multiple of 60 seconds in the fail_interval template property of the Repeated Failed su Commands template because sulog entries are time stamped with a granularity of minutes and not seconds.
Announcement Known Problems, Limitations, and Fixes Default Property Values Need to be Changed The default properties for some of the templates are not valid. So the default properties have been changed in the current release. BO Template does not Display Pathname that Executed on Stack When a stack buffer overflow event is produced by the kernel, it does not contain the given or derived name of the executable that attempted to execute on its stack.
Installation Known Problems, Limitations, and Fixes 2 Installation IMPORTANT Read this entire chapter before installing or updating to HP-UX HIDS Release 3.1.
Installation Introduction Introduction Release 3.1 of HP-UX HIDS is available from the following sources. • As a depot directory on the server Operating Environment media, beginning with HP-UX 11i v2 and OEUR 2005 (HP-UX 11i v1). HP-UX HIDS is a selectable product on the OE media, and you may install it or at a later time using the instructions in this chapter. • As a depot directory on an Application Release CD, beginning with 2005 (HP-UX 11i).
Installation Introduction Table 2-2 Software to Install (Continued) Software Evaluation or Dual System Agent System Administration System IDS.IDS-ADM-RUN and IDS.IDS-ADM-SHL IB YES NO YES IDS.IDS-ENG-A-M AN YES YES YES HP-UX-required kernel patches YES YES NO Java JRE 1.3.
Installation Installation Summary Installation Summary IMPORTANT Read this entire chapter before installing or updating to HP-UX HIDS Release 3.1. The sections that follow provide step-by-step instructions for updating to or cold-installing HP-UX HIDS Release 3.1. This section provides a summary of the tasks. In addition to these Release Notes, you will need the HP-UX Host Intrusion Detection System Administrator’s Guide Software Release 3.1, for information on configuration and initial startup. Step 1.
Installation Hardware and Software Requirements Hardware and Software Requirements Check that your systems meet the requirements for installing HP-UX HIDS. Administration and Agent Systems Each administration and agent system must meet the following requirements: • You must be running HP-UX 11i v1, 11i v1.6, or 11i v2. To check, enter: uname -r It will display B.11.11, B.11.22, or B.11.23, respectively.
Installation Hardware and Software Requirements • For HP-UX 11i v1, you must have certain patches for both the operating system and the kernel audit system. Patch installation is part of these installation instructions. • The cron daemon must be enabled. Refer to cron(1M) for more information. • Virtual memory usage by the idscor process can be as high as 200 M. You might need to increase the maxdsiz tunable parameter for your system.
Installation When Updating from Release 2.x When Updating from Release 2.x HP-UX HIDS Software Release 3.1 is not backward compatible with any 2.x releases. The Release 3.1 System Manager cannot manage Release 2.x agents, and vice versa. Release 2.x communication keys and certificates are recognized and valid in Release 3.1 and you do not need to generate new keys and certificates after migrating to Release 3.1.
Installation Preinstallation Preinstallation HP recommends that you stop the idsagent before upgrading to HP-UX HIDS Release 3.1. IMPORTANT HP recommends that you make a full backup of all administration and agent systems before you install HP-UX HIDS. Installation on agent systems requires a kernel rebuild (automatic) and reboot.
Installation Making Depots Making Depots It is a good idea to gather the various pieces of software into depots that you can use with the swinstall command. These instructions tell you how to prepare three combination depots. You will need at most three of them: one administration depot and one or two agent depots. The three depots are described in Table 2-3.
Installation Making Depots Table 2-3 Software Depots (Continued) Depot 11i Agent Depot /var/depot/ids_11i_agent For an HP-UX 11i system supporting the HP-UX HIDS agent software Contents Required system patches IDS.IDS-AGT-RUN subproduct IDS.IDS-ENG-A-MAN subproduct IDS-KRN subproduct Create the Depot Directory Step 1. Log in as superuser (root) on a system where you can build a software depot. The current or intended HP-UX HIDS administration system is a good choice. Step 2.
Installation Making Depots http://itrc.hp.com, Step 4. Click the link individual patches. NOTE You must be registered before you can download patches. Step 5. Using the instructions on the Web site, download the patches listed in Table 2-4 on page 31 into /var/tmp/idspatch_11i. NOTE Note the following: • Some patches might have dependency patches: patches that must be installed first. Click the dependency links and download the dependency patches, too. • Some patches might be superseded.
Installation Making Depots Patches Required for HP-UX 11i You must install the patch listed in Table 2-4 on all HP-UX 11i v1 PA/RISC systems that will run the HP-UX HIDS agent software. NOTE These patches are necessary for HP-UX 11i v1 PA/RISC systems. They do not apply to HP-UX 11i v.1.6 or 11i v2 systems.
Installation Making Depots Get the HP-UX HIDS Product HP-UX HIDS Release 3.1 for HP-UX 11i is available on line from the HP Software Depot as of December 2004, and from various Application Release and Operating Environment media updates starting in 2005. From the HP-UX 11i v2 System Release Refer to the HP-UX 11i Version 2 Installation and Update Guide for information on installing HP-UX HIDS with a system installation or update.
Installation Making Depots If your administration system is running HP-UX 11i and will be running an agent, copy the entire 11i product into the ids_11i_admin+agent depot: # swcopy -s /var/tmp/idsprod/HPUX-HIDS_11i.depot \* \ @ /var/depot/ids_11i_admin+agent From an Application Release CD or an Operating Environment CD Step 1. Log in as superuser (root) on the depot system; see “Create the Depot Directory” on page 29. Step 2.
Installation Making Depots Get Patches for Java Step 1. Log in as superuser (root) on the depot system; see “Create the Depot Directory” on page 29. Step 2. Create a directory in which you can save the patches and make a depot. This procedure uses /var/tmp/javapatch. Step 3. Open the HP Java Web site: http://www.hp.com/go/java, Step 4. Click on the link patches. Step 5. Take note of the patches that you need, based on your administration system. Step 6. Open the HP Support Web site: http://itrc.hp.
Installation Making Depots # sh -c ’for i in /var/tmp/javapatch/PH*.depot; do swcopy\ -s $i \* @ /var/depot/ids_11i_admin+agent; done’ Get the Java Software Step 1. Log in as superuser (root) on the depot system; see “Create the Depot Directory” on page 29. Step 2. Open the HP Java Web site: http://www.hp.com/go/java, Step 3. Click the link SDK and RTE 1.3.1. Step 4. Click the link downloads. Step 5. Choose the SDK or RTE 1.3.1 version. Step 6.
Installation Making Depots Step 2. Insert the software CD into the appropriate drive if you are installing from the Application Software CD. If you are downloading the software package from http://www.software.hp.com, download the depot and follow the instructions provided in the installation page of the OpenSSL software. Step 3. Run the following command to install the OpenSSL software: # swinstall -s OpenSSL Step 4.
Installation Installing the Depots Installing the Depots CAUTION You must install the required kernel patches before you install the HP-UX HIDS software. Do not reinstall any patches without consulting HP Support first. NOTE In the following procedure, swinstall does not reinstall any patches or applications that are already installed. You can ignore messages to that regard. The software you need will be installed properly.
Installation Installing the Depots Step 4. On each of your agent systems, install one of the agent software depots described in “Making Depots” on page 28, as follows: a. Log in as superuser (root) on each HP-UX HIDS agent system. b. Make sure you are the only user on the system; the installation will require a reboot. c.
Installation Installing the Depots Will Installing HP-UX HIDS Release 3.1 Reboot My Agent System? The installation scripts for HP-UX HIDS try to avoid unnecessary system reboots. However, in some circumstances, a system reboot might be required. Those circumstances are (in order of priority): 1. If you choose the Reinstall Filesets option in the graphical interface to swinstall, all HP-UX HIDS filesets will be installed, and a system reboot will occur. 2.
Installation Postinstallation Postinstallation • When an agent system reboots after an upgrade from HP-UX HIDS Release 2.x to Release 3.1, the HP-UX startup in progress list should display OK for the Starting HP-UX HIDS agent entry. • When an agent system reboots after a cold installation, the HP-UX startup in progress list should display N/A for the Starting HP-UX HIDS agent entry.
Installation Postinstallation NOTE Back up the original schedules and groups files before installing/updating to Release 3.1 and the running migration tool. After installing or updating to the new Release 3.1 HIDS software, invoke the tool in one of the following ways (before starting the idsgui process): $ /opt/ids/bin/guiSchedConvert Or $ /opt/ids/bin/guiSchedConvert /opt/java1.3/bin/java If the schedule fails to be activated successfully after 3.
Installation Configuration Configuration After you have installed or updated your HP-UX HIDS software, you need to complete the configuration with the required and optional steps that are described in Chapter 2 of HP-UX Host Intrusion Detection System Administrator’s Guide, Software Release 3.0. The following is an annotated list of some of the sections in the chapter 2 of that guide.
Installation Configuration If you use NIS, you must configure the NIS master system.
HP Software License Configuration A HP Software License 45
HP Software License Attention Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
HP Software License Attention in the documentation and/or other materials provided with the distribution. * * 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4.
HP Software License Attention Original SSLeay License /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are adhered to.
HP Software License Attention * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ‘‘AS IS’’ AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR, PURPOSE * ARE DISCLAIMED.
HP Software License HP Software License Terms HP Software License Terms The following License Terms govern your use of the accompanying Software. License Grant. HP grants you a license to Use one copy of the Software. "Use" means storing, loading, installing, executing or displaying the Software. You may not modify the Software or disable any licensing or control features of the Software.
HP Software License HP Software License Terms Export Requirements. You may not export or re-export the Software or any copy or adaptation in violation of any applicable laws or regulations. U.S. Government Restricted Rights. The Software and any accompanying documentation have been developed entirely at private expense. They are delivered and licensed as "commercial computer software" as defined in DFARS 252.227-7013 (Oct 1988), DFARS 252.211-7015 (May 1991) or DFARS 252.
