HP-UX Host Intrusion Detection System Release 4.
© Copyright 2007 Hewlett-Packard Development Company, L.P Legal Notices The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Printed in the U.S.A. Confidential computer software.
{} The contents are required in formats and command descriptions. If the contents are a list separated by , you must choose one of the items. ... The preceding element can be repeated an arbitrary number of times. Separates items in a list of choices.
Table of Contents 1 Announcement...........................................................................................................................9 What is HP-UX HIDS...............................................................................................................9 Compatibility with Previous Releases.......................................................................................9 Compatibility with Other Products..................................................................
Introduction..........................................................................................................................19 Installation Summary.............................................................................................................20 Hardware and Software Requirements....................................................................................20 Administration and Agent Systems....................................................................................
List of Tables 1-1 2-1 2-2 2-3 2-4 2-5 2-6 HP-UX HIDS Product Compatibility..........................................................................10 Filesets of HIDS...........................................................................................................19 Software to Install........................................................................................................19 Software Depots............................................................................................
1 Announcement The HP-UX Host Intrusion Detection System Release 4.0 Release Notes describe new features, changes, enhancements, fixes, limitations, and known issues for Host Intrusion Detection System (HIDS) Release 4.0. HP-UX HIDS Release 4.0 product release is a major release that includes new features and enhancements. What is HP-UX HIDS HP-UX HIDS is a host-based HP-UX security product for HP computers running HP-UX 11i.
NOTE: You cannot directly migrate HP-UX HIDS Release 2.x schedules to HP-UX HIDS Release 4.0 schedules. You must first migrate Release 2.x schedules to Release 3.1 schedules and then upgrade to Release 4.0 schedules. For more information about migration, see “When Updating from Release 2.x ” (page 21). Compatibility with Other Products HP-UX HIDS is not compatible with all HP software products; see Table 1-1 for the list of products that are supported.
Benefits The HP-UX HIDS intrusion detection product offers the following benefits: • • • Automatically monitors each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. Provides continuous surveillance against inappropriate system usage that include attempting to break into or disrupt the system, modifying system files and directories, or attempting to spread a virus.
Manuals The following documents are available at the HP technical documentation Website in the Internet Security Solutions collection, http://docs.hp.com/en/internet and on the Instant Information CD in the Internet and Security Solutions collection. HP Part No. Title 5991-6775 HP-UX Host Intrusion Detection System Release 4.0 Release Notes. 5991-6776 HP-UX Host Intrusion Detection System Administrator's Guide, Software Release 4.0.
IDS Mailing List To receive the latest news about HP-UX HIDS, send an email message to majordomo@hpuxmail.cup.hp.com. Include only the following line in the body of the message: subscribe ids9000-news This address is for subscription requests only. Do not send product questions or other inquiries. To unsubscribe, send the message: unsubscribe ids9000-news ITRC Security Forum Get help from your peers in the HP Information Technology Resource Center (ITRC) Security Forum. It is available at: http://forums.
Release 4.0 Highlights HP-UX HIDS Release 4.0 contains the following new features, changes and enhancements: • • • • • HP-UX HIDS supports a new feature called alert aggregation that can significantly reduce the alert volume for a monitored system. When enabled, alerts that are generated by a process or a group of related processes are aggregated until the processes terminate, or a certain amount of time elapses. Using this feature, the number of alerts can be reduced by up to 3 orders of magnitude.
Clarifications Perform Updates Instead of Cold Reinstalls HP-UX HIDS is designed to support updates. If users cold reinstall the newer version by first removing the older version (swremove), two reboots (instead of just one or possibly none) will occur and there is the possibility of losing some configuration data. Do not Change Permissions Do not change the permissions on files and directories owned by ids.
original predefined schedule or group. The program does not notify you that a predefined group was not saved when you click the Save button on the Schedule Manager screen. Agents and Kernel Parameters The administration System Manager can monitor up to 23 agent systems unless you make kernel parameter changes, as described in Chapter 2, “Configuring HP-UX HIDS,” in the Host Intrusion Detection System Administrator’s Guide.
Release 4.0 Schedules that Contain Username Template Values Cannot be run by Release 3.x Agents Starting with v4.0, both user names and user IDs can be specified for template properties to specify users. For example, users_to_ignore, users_to_monitor, priv_user_list, user_pairs_to_ignore supports both user name and user ID values. HIDS v3.x supports only user IDs, therefore v4.0 schedules that contain user name template values cannot be run by v3.x agents. The v4.
The idsagent Process Stops Logging Alerts Running a Schedule with Multiple Groups. After running a schedule for several hours, the idsagent process stops logging alerts. The problem occurs when HIDS is running a schedule with surveillance groups that are not always running. This problem is fixed in the current release. Memory leak in idscor The memory usage of idscor process grows by several megabytes over a few days and under heavy loads. This problem is fixed in the current release.
2 Installation This chapter provides information about HIDS installation. IMPORTANT: 4.0. Read this entire chapter before installing or updating to HIDS Release Introduction Release 4.0 of HIDS is available from the following sources: • • As a depot directory on an Application Release CD for 11i and on OEUR for HP-UX 11i v2 (from March 2006 onwards) and HP-UX 11i v3. As a depot file you download from the HP Software Depot Website for HP-UX 11i, beginning from January 2006.
Table 2-2 Software to Install (continued) Software Evaluation or Dual System Agent System Administration System HP-UX required kernel patches YES YES NO J2SE 5.0 YES NO YES Java 5.0 patches YES NO YES IDS-KRN YES YES NO OpenSSL YES YES YES Installation Summary The following sections provide step-by-step instructions for updating to or cold-installing HIDS Release 4.0. This section provides a summary of the tasks.
# uname -r It should display B.11.11, B.11.23 , or B.11.31respectively. • • The system must be running either HP-UX 11i v1 HP-UX 11i v2, or HP-UX 11i v3. You must be a superuser to do the installation. Administration System The system on which you plan to install the administration software must meet the following requirements: • You must have 26 MB of free disk space in /opt/ids and space for configuration files in /etc/opt/ids and log files in /var/opt/ids.
Preinstallation Before installing Release 4.0 on a system that has a previous version of HP-UX HIDS installed and running, HP recommends that you stop the idsagent process. IMPORTANT: For systems that do not currently have any version of HP-UX HIDS installed, HP recommends that you make a full backup of all administration and agent systems before you install HP-UX HIDS. Installation on agent systems requires a kernel rebuild (automatic) and reboot.
Create the Depot Directory 1. 2. Log in as superuser (root) on a system where you can build a software depot. The current or intended HP-UX HIDS administration system is a good choice. If it does not exist, create the base directory for the depots as follows: # mkdir /var/depot Get Patches for HP-UX 11i v1 and 11i v2 Perform this procedure only on agent systems running either HP-UX 11i v1 (PA-RISC) or 11i v2 (PA-RISC / Itanium-based). NOTE: If you are running HIDS 4.
NOTE: • • 6. Note the following: Some patches might have dependency patches; patches that must be installed first. Click the dependency links and download the dependency patches as well. Some patches might be superseded. You can choose the patch listed in Table 2-4 (for HP-UX 11iv1), Table 2-5 (for HP-UX 11iv2), or the superseded patch. Unpack the patch file sets into their separate depots: # sh -c ’for i in /var/tmp/idspatch_11i/PH*; do sh $i; done’ 7.
Patch Required for HP-UX 11i v2 You must install the patch listed in Table 2-5 on all HP-UX 11i v2 PA-RISC and Itanium-based systems that will run the HIDS agent software. Table 2-5 Patch Required for HP-UX 11i v2 HIDS Agent Systems Patch Description PHKL_32800 s700_800 11.23 HIDS cumulative patch IMPORTANT: You must install all the patches before or at the same time you install HIDS on HP-UX 11iv1 or HP-UX 11iv2.
Get the HP-UX HIDS Product HP-UX HIDS Release 4.0 for HP—UX 11i v1, 11i v2, and 11i v3 is available from the HP Software Depot (http://software.hp.com) and is available on the AR CDs. . HIDS Release 4.0 is also available on the HP-UX 11i v2 Operating Environment Update Release. From the HP-UX 11i v2 System Release Refer to the HP-UX 11i Version 2 Installation and Update Guide for information on installing HIDS with a system installation or upgrade.
3. 4. Using the instructions on the Website, download the 11i product depot into /var/tmp/HP-UX HIDS_11i.depot. Copy the HP-UX HIDS product to your administration and agent depots, as appropriate. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # swcopy -s /var/tmp/idsprod/HPUX-HIDS_11i.depot IDS-KRN IDS.IDS-AGT-RUN IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent b.
2. Do the following: Locate the HP-UX 11i Application Release CD that contains the HP-UX HIDS product bundle and load it into your CD reader. In this procedure it is mounted on /SD_CDROM. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # # swcopy -s /SD_CDROM HPUX-HIDS.IDS-KRN HPUX-HIDS.IDS.IDS-AGT-RUN HPUX-HIDS.IDS.IDS-ENG-A-MAN /var/depot/ids_11i_agent b.
Get Patches for Java 1. 2. 3. Log in as superuser (root) on the depot system. See “Create the Depot Directory” (page 23). Create a directory in which you can save the patches and make a depot. This procedure uses /var/tmp/javapatch. Open the HP Java Website: http://www.hp.com/go/java, 4. 5. 6. Click on the patches link. Take note of the patches that you need, based on your administration system. Open the HP Support Website: http://itrc.hp.com, 7. Click on individual patches.
# sh -c ’for i in /var/tmp/javapatch/PH*; do sh $i; done’ 10. Copy the patch file sets into your administration depot using one of the following steps: a. • 11i Admin Depot If your administration system will not be running an agent, copy the 11i Java patches into the ids_11i_admin depot: # sh -c ’for i in /var/tmp/javapatch/PH*.depot; do swcopy -s $i * @ /var/depot/ids_11i_admin; done’ b.
6. 7. Using the instructions on the Website, download the software, for example, to /var/tmp/jre15_15001_1111.depot for 11i v1. Transfer the software to the administration depot using one of the following steps: a. • 11i Admin Depot If your administration system will not be running an agent, copy the 11i Java software into the ids_11i_admin depot: # swcopy -s /var/tmp/jre15_15001_1111.depot /var/depot/ids_11i_admin b.
3. 4. Download the software to the /var/tmp/openssl.depot directory. Transfer the software to the depot using one of the following steps: a. • 11i Agent Depot Copy the OpenSSL software into the ids_11i_agent depot: # swcopy -s /var/tmp/openssl.depot /var/depot/ids_11i_agent • * @ 11i Admin Depot If your administration system is not running an agent, copy the OpenSSL software into the ids_11i_admin depot: # swcopy -s /var/tmp/openssl.depot /var/depot/ids_11i_admin b.
Installing the Depots This section describes the procedure to install the depot. CAUTION: You must install the required kernel patches before you install the HP-UX HIDS software. Do not reinstall any patches without consulting HP Support first. NOTE: In the following procedure, swinstall does not reinstall any patches or applications that are already installed. You can ignore messages to that regard. The software you need will be installed properly.
Will Installing HP-UX HIDS Release 4.0 Reboot My Agent System? The installation scripts for HP-UX HIDS try to avoid unnecessary system reboots. However, in some circumstances, a system reboot might be required. Those circumstances are (in order of priority): 1. 2. 3. 4. If you choose the Reinstall Filesets option in the graphical interface to swinstall, all HIDS filesets will be installed, and a system reboot will occur.
Configuration After you have installed or updated your HP-UX HIDS software, you need to complete the configuration with the required and optional steps that are described in Chapter 2 of Host Intrusion Detection System Administrator’s Guide, Software Release 4.0. The following is an annotated list of some of the sections in chapter 2 of that guide.
A HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
* disclaimer in the documentation and/or other materials * provided with the distribution. * * 3. All advertising materials mentioning features or use of * this software must display the following acknowledgment: * "This product includes software developed by the OpenSSL * Project for use in the OpenSSL Toolkit. * (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must * not be used to endorse or promote products derived from * this software without prior written permission.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc.
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH * DAMAGE. * The licence and distribution terms for any publically * available version or derivative of this code cannot be * changed. i.e.
Termination. HP may terminate your license upon notice for failure to comply with any of these License Terms. Upon termination, you must immediately destroy the Software, together with all copies, adaptations and merged portions in any form. Export Requirements. You may not export or re-export the Software or any copy or adaptation in violation of any applicable laws or regulations. U.S. Government Restricted Rights.
