HP-UX Host Intrusion Detection System Release 4.0 Release Notes HP-UX 11i v1 and 11i v2 Manufacturing Part Number: 5991-5413 June 2006 Printed in United States © Copyright 2005 Hewlett-Packard Development Company, L.P.
Legal Notices The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Printed in the U.S.A. Confidential computer software. Valid license from HP required for possession, use or copying.
Revision History This document’s printing date and part number indicate its edition. The printing date changes when a new edition is printed. Minor corrections and updates that are incorporated at reprint do not cause the date to change. New editions of this manual incorporate all material updated since the previous edition. 5991-4449 January 2006, Software Release 4.0. 5991-1161 May 2005, Software Release 3.1. J5083-90015 November 2004. Software Release 3.0. J5083-90012 September 2003.
Conventions We use the following typographical conventions: audit (5) An HP-UX manpage. audit is the name and 5 is the section in the HP-UX Reference. On the Web and on the Instant Information CD, it can be a hot link to the manpage itself. From the HP-UX command line, you can enter man audit or man 5 audit to view the manpage. See man (1). Book Title The title of a book. On the Web and on the Instant Information CD, it can be a hot link to the book itself. KeyCap The name of a keyboard key.
Announcement 1 Announcement The HP-UX Host Intrusion Detection System Release 4.0 Release Notes describe new features, changes, enhancements, fixes, limitations, and known issues for Host Intrusion Detection System (HIDS) Release 4.0. HP-UX HIDS Release 4.0 product release is a major release that includes new features and enhancements.
Announcement What is HP-UX HIDS What is HP-UX HIDS HP-UX HIDS is a host-based HP-UX security product for HP computers running HP-UX 11i. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts. Many types of attacks can bypass network-based detection systems. HP-UX HIDS monitors these bypassed attacks and complements the existing network-based security mechanisms, bolstering enterprise security.
Announcement Compatibility with Previous Releases Compatibility with Previous Releases HP-UX HIDS Release 4.0 software is backward compatible with Release 3.1, Release 3.0 (collectively referred to as 3.x) and not with Release 2.0, Release 2.1, Release 2.2 (collectively referred to as 2.x). The Release 4.0 System Manager cannot manage Release 2.x agents, and the Release 2.x System Manager cannot manage Release 4.0 agents. To support backward compatibility between Release 4.0 and Release 3.
Announcement Compatibility with Other Products Compatibility with Other Products HP-UX HIDS is not compatible with all HP software products; see Table 1-1 for the list of products that are supported. Do not run HP-UX HIDS on systems that are running unsupported products (or vice versa). Table 1-1 HP-UX HIDS Product Compatibility Product 8 Supported? HP-UX 11i v2 Yes HP-UX 11i v1.6 Yes HP-UX 11i v1.5 No HP-UX 11i v1 Yes HP-UX 11.
Announcement Localization Localization The HP-UX HIDS software and documentation are not localized in non-English languages.
Announcement Benefits Benefits The HP-UX HIDS intrusion detection product offers the following benefits: • Automatically monitors each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. • Provides continuous surveillance against inappropriate system usage that include attempting to break into or disrupt the system, modifying system files and directories, or attempting to spread a virus.
Announcement Benefits Chapter 1 • Complements network-based security solutions and bolsters the overall security of the computing infrastructure. HP-UX HIDS is designed to detect intrusions that network-based security products cannot identify, thereby strengthening the integrity of the host system as the last line of defense. • Provides immediate notification when a suspicious activity is detected, and supports real-time response.
Announcement Documentation Documentation The HP-UX HIDS documentation includes manuals, manpages, information on the HP OpenView SMART Plug-In, an IDS Mailing List, and the ITRC Security Forum. Manuals The following documents are available at the HP technical documentation Website in the Internet Security Solutions collection, http://docs.hp.com/en/internet and on the Instant Information CD in the Internet and Security Solutions collection. HP Part No.
Announcement Documentation Directory Manpages /opt/ids/share/man/man 5 ids.cf (5) HP OpenView SMART Plug-In The following document is available at the HP OpenView Website in the SPI Gallery at: http://openview.hp.com/products/spi/spi_ids/index.html. HP Part No. (none) Title HP OpenView Operations SMART Plug-In for HIDS The OVO HPUX_HIDS-SPI has been certified by HP for OVO V5.x as well as V6.x, and is known to work with OVO V7.1.
Announcement Documentation IDS Mailing List To receive the latest news about HP-UX HIDS, send an email message to majordomo@hpuxmail.cup.hp.com. Include only the following line in the body of the message: subscribe ids9000-news This address is for subscription requests only. Do not send product questions or other inquiries. To unsubscribe, send the message: unsubscribe ids9000-news ITRC Security Forum Get help from your peers in the HP Information Technology Resource Center (ITRC) Security Forum.
Announcement Documentation NOTE Chapter 1 Effective March 31st 2007, support for Release 2.x of HP-UX HIDS will be discontinued. HP recommends that all customers using HP-UX HIDS Release 2.x upgrade to Release 4.0. To know more about discontinuance, see http://www.hp.com/softwarereleases/releases-media2/index.html.
Announcement New and Changed Features New and Changed Features HP-UX HIDS Release 4.0 runs on HP-UX 11i v1 and 11i v2. It is available in the Application Releases, and from the HP Software Depot. In this document, “11i” unqualified encompasses all the supported 11i versions. Release 4.0 Highlights HP-UX HIDS Release 4.
Announcement New and Changed Features • Chapter 1 The HP-UX HIDS agent can be configured to measure the rate of events generated by a system and monitored by HP-UX HIDS. Knowing the event rate, one can refer to the HP-UX HIDS Tuning and Sizing primer (available on http://www.docs.hp.com) to determine the impact of HP-UX HIDS on memory and CPU consumption. See Appendix E “The Agent Configuration File” in the Host Intrusion Detection System Administrator’s Guide for details.
Announcement Known Problems, Limitations, and Fixes Known Problems, Limitations, and Fixes For a current and complete list of HP-UX HIDS problems and their fixes, refer to the Technical Knowledge Database on the HP IT Resource Center Websites: http://us-support.external.hp.com for Americas/Asia-Pacific customers http://europe-support.external.hp.com for European customers The Technical Knowledge Database is available to customers with support contracts.
Announcement Known Problems, Limitations, and Fixes Error Encountered When Installing HP-UX HIDS 4.0 The following error can appear when installing HP-UX HIDS 4.0 even though J2SE 5.0 is installed: swinstall error: * Reading source for file information. The corequisite "Jre15.JRE15,r>=1.5.0.02" for fileset "IDS.IDS-ADM-RUN, r=E.04.00.01" cannot be successfully resolved.ERROR:The dependencies for fileset "IDS.IDS-ADM-RUN,r=E.04.00.01" cannot be resolved (see previous lines).
Announcement Known Problems, Limitations, and Fixes under heavy loads. Currently, the user space component of HP-UX HIDS (idskerndsp), which collects audit data from IDDS, cannot be configured to either block or drop audit records under heavy loads. Instead, the product displays a notice in the Network Browser error panel that audit records are being dropped.
Announcement Known Problems, Limitations, and Fixes Error Log File Rotation When you rotate an agent’s error log file (default location is /var/opt/ids/error.log), the idsagent process must be restarted by sending it a HUP signal in order for all new errors to appear in a newly created error log file.
Announcement Known Problems, Limitations, and Fixes Fixes and Enhancements in Release 4.0 Release 4.0 corrects defects and includes enhancements in the following areas: idsagent Memory leak when Alerts sent to Response Programs The memory usage of idsagent grows when the idsagent process sends alerts to the response program (in /opt/ids/response directory). This problem is fixed in the current release. The idsagent Process Stops Logging Alerts Running a Schedule with Multiple Groups.
Installation Known Problems, Limitations, and Fixes 2 Installation This chapter provides information about HIDS installation. IMPORTANT Chapter 2 Read this entire chapter before installing or updating to HIDS Release 4.0.
Installation Introduction Introduction Release 4.0 of HIDS is available from the following sources: • As a depot directory on an Application Release CD for 11i and on OEUR for HP-UX 11i v2, beginning from March 2006. • As a depot file you download from the HP Software Depot Website for HP-UX 11i, beginning from January 2006. The HIDS software product bundle, HPUX-HIDS, contains the IDS and IDS-KRN products.
Installation Introduction Table 2-2 Software to Install (Continued) Software Chapter 2 Evaluation or Dual System Agent System Administration System IDS.IDS-ADM-RUN and IDS.IDS-ADM-SHL IB YES NO YES IDS.IDS-ENG-A-M AN YES YES YES HP-UX required kernel patches YES YES NO J2SE 5.0 YES NO YES Java 5.
Installation Installation Summary Installation Summary The sections that follow provide step-by-step instructions for updating to or cold-installing HIDS Release 4.0. This section provides a summary of the tasks. In addition to these Release Notes, you will need the Host Intrusion Detection System Administrator’s Guide Software Release 4.0, for information on configuration and initial startup. Step 1.
Installation Hardware and Software Requirements Hardware and Software Requirements Check that your systems meet the requirements for installing HP-UX HIDS. Administration and Agent Systems Each administration and agent system must meet the following requirements: • The administration and agent system must be running HP-UX 11i v1 or 11i v2. To check, enter the following command: uname -r It should display B.11.11 or B.11.23 respectively.
Installation Hardware and Software Requirements • The memory mapped file (/var/opt/ids/ids_*) is 20 M in size. HP recommends that you have at least 50 M of free space in /var for the memory mapped files and log files. • For HP-UX 11i v1, you must have certain patches for both the operating system and the kernel audit system. Patch installation is part of these installation instructions. • The cron daemon must be enabled. Refer to cron(1M) for more information.
Installation When Updating from Release 2.x When Updating from Release 2.x The templates in Release 4.0 differ significantly from those in 2.x. In order to use existing 2.x schedules, you must first migrate to Release 3.1 and then use the guiSchedConvert migration tool to convert v2.x schedules to v3.x schedule files. Use the v3.1 adminschedconvert migration tool to convert v2.x text schedule files to v3.x text schedule files. You must then upgrade to v4.0. The v4.
Installation Preinstallation Preinstallation Before installing Release 4.0 on a system that has a previous version of HP-UX HIDS installed and running, HP recommends that you stop the idsagent process. IMPORTANT 30 For systems that do not currently have any version of HP-UX HIDS installed, HP recommends that you make a full backup of all administration and agent systems before you install HP-UX HIDS. Installation on agent systems requires a kernel rebuild (automatic) and reboot.
Installation Making Depots Making Depots It is a good idea to gather the various pieces of software into depots that you can use with the swinstall command. These instructions tell you how to prepare three combination depots. You will need at least two of them: one administration depot and one or two agent depots. The three depots are described in Table 2-3.
Installation Making Depots Table 2-3 Software Depots (Continued) Depot Contents 11i Admin Depot Required Java patches /var/depot/ids_11i_admin J2SE 5.0 For an HP-UX 11i system supporting the HIDS administration software IDS.IDS-ADM-RUN and IDS.IDS-ADM-SHLIB subproduct IDS.IDS-ENG-A-MAN subproduct OpenSSL product 11i Agent Depot Required system patches /var/depot/ids_11i_agent IDS.IDS-AGT-RUN subproduct IDS.
Installation Making Depots NOTE If you have installed any software updates, some of these patches might already be present on your systems. You can first install the HP-UX HIDS software and run the /opt/ids/bin/IDS_checkInstall command to check the patches that you do not need to download. If you attempt to install a patch that is already there, the swinstall command will note that fact and just install the other patches. Step 1.
Installation Making Depots $ sh -c ’for i in /var/tmp/idspatch_11i/PH*; do sh $i; done’ Step 7. Copy the patches to your agent and administration depots as appropriate: • 11 i Agent Depot If any of your agent systems is running either HP-UX 11i v1 or HP-UX 11iv2, copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # sh -c ’for i in /var/tmp/idspatch_11i/PH*.
Installation Making Depots Patch Required for HP-UX 11i v2 You must install the patch listed in Table 2-5 on all HP-UX 11i v2 PA-RISC and Itanium-based systems that will run the HIDS agent software. Table 2-5 Patch Required for HP-UX 11i v2 HIDS Agent Systems Patch PHKL_32800 IMPORTANT Chapter 2 Description s700_800 11.23 HIDS cumulative patch You must install all the patches before or at the same time you install HIDS on HP-UX 11iv1 or HP-UX 11iv2.
Installation Making Depots Get the HP-UX HIDS Product HP-UX HIDS Release 4.0 for both 11iv1 and 11iv2 is available from the HP Software Depot (http://software.hp.com) and will be available from the March 2006 Application Release CD. HIDS Release 4.0 for 11iv2 will also be available from the 11iv2 March 2006 Operating Environment Update Release.
Installation Making Depots # swcopy -s /var/tmp/idsprod/HPUX-HIDS_11i.depot IDS.IDS-ADM-RUN IDS.IDS-ENG-A-MAN IDS.IDS-ADM-SHLIB \@ /var/depot/ids_11i_admin • 11i Admin+Agent Depot If your administration system will be running an agent, copy the entire 11i product into the ids_11i_admin+agent depot: # swcopy -s /var/tmp/idsprod/HPUX-HIDS_11i.depot \* \ @ /var/depot/ids_11i_admin+agent From an Application Release CD Step 1. Log in as superuser (root) on the depot system.
Installation Making Depots Get Patches for Java Step 1. Log in as superuser (root) on the depot system. See “Create the Depot Directory” on page 32. Step 2. Create a directory in which you can save the patches and make a depot. This procedure uses /var/tmp/javapatch. Step 3. Open the HP Java Website: http://www.hp.com/go/java, Step 4. Click on the link patches. Step 5. Take note of the patches that you need, based on your administration system. Step 6. Open the HP Support Website: http://itrc.hp.
Installation Making Depots If your administration system will be running an agent, copy the 11i Java patches into the ids_11i_admin+agent depot: # sh -c ’for i in /var/tmp/javapatch/PH*.depot; do swcopy\ -s $i \* @ /var/depot/ids_11i_admin+agent; done’ Get the Java Software Step 1. Log in as superuser (root) on the depot system. See “Create the Depot Directory” on page 32. Step 2. Open the HP Java Website: http://www.hp.com/go/java, Step 3. Select the J2SE JDK, JRE, and runtime plug-in for 5.0.
Installation Making Depots Get the OpenSSL Software In addition to Java, you must also download OpenSSL on your system. OpenSSL A.00.09.07-e is the latest version of the software. Following are the steps to download the OpenSSL software: Step 1. Log in as superuser (root). Step 2. Insert the software CD into the appropriate drive, if you are downloading OpenSSL from the Application Software CD. You can also download the software from the http://www.software.hp.com Web site. Step 3.
Installation Making Depots On HP-UX 11i v1 systems that do not contain the /dev/random file, OpenSSL automatically uses prngd to generate random numbers.
Installation Installing the Depots Installing the Depots This section describes the procedure to install the depot. CAUTION You must install the required kernel patches before you install the HP-UX HIDS software. Do not reinstall any patches without consulting HP Support first. NOTE In the following procedure, swinstall does not reinstall any patches or applications that are already installed. You can ignore messages to that regard. The software you need will be installed properly.
Installation Installing the Depots Step 4. On each of your agent systems, install one of the agent software depots described in “Making Depots” on page 31, as follows: a. Log in as superuser (root) on each HP-UX HIDS agent system. b.
Installation Installing the Depots Will Installing HP-UX HIDS Release 4.0 Reboot My Agent System? The installation scripts for HP-UX HIDS try to avoid unnecessary system reboots. However, in some circumstances, a system reboot might be required. Those circumstances are (in order of priority): 1. If you choose the Reinstall Filesets option in the graphical interface to swinstall, all HIDS filesets will be installed, and a system reboot will occur. 2.
Installation Postinstallation Postinstallation • The HP-UX startup in progress list should display OK for the Starting HIDS agent entry. • When an agent system reboots after a cold installation, the HP-UX startup in progress list should display N/A for the Starting HIDS agent entry. That is, system boot will not automatically start idsagent until after the secure communication keys and certificates have been installed on the agent system. See “Configuration” on page 46.
Installation Configuration Configuration After you have installed or updated your HP-UX HIDS software, you need to complete the configuration with the required and optional steps that are described in Chapter 2 of Host Intrusion Detection System Administrator’s Guide, Software Release 4.0. The following is an annotated list of some of the sections in chapter 2 of that guide.
Installation Configuration • Working with firewalls If you have firewalls between the administration system and agents systems, you must configure the firewall systems. • Working with NIS If you use NIS, you must configure the NIS master system.
Installation Configuration 48 Chapter 2
HP Software License Configuration A Appendix A HP Software License 49
HP Software License Attention Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
HP Software License Attention copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * * 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4.
HP Software License Attention * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CO NTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE ) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ============================================================== ====== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.
HP Software License Attention * attribution as the author of the parts of the library used. * This can be in the form of a textual message at program star tup or * in documentation (online or textual) provided with the packa ge. * * Redistribution and use in source and binary forms, with or w ithout * modification, are permitted provided that the following cond itions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclai mer.
HP Software License Attention PURPOSE * ARE DISCLAIMED.
HP Software License HP Software License Terms HP Software License Terms The following License Terms govern your use of the accompanying Software. License Grant. HP grants you a license to Use one copy of the Software. "Use" means storing, loading, installing, executing or displaying the Software. You may not modify the Software or disable any licensing or control features of the Software.
HP Software License HP Software License Terms deliver the Software, including any copies and related documentation, to the transferee. The transferee must accept these License Terms as a condition to the transfer. Termination. HP may terminate your license upon notice for failure to comply with any of these License Terms. Upon termination, you must immediately destroy the Software, together with all copies, adaptations and merged portions in any form. Export Requirements.
HP Software License HP Software License Terms LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. Entire Agreement. These License Terms contains the entire understanding and agreement of the parties relating to the subject matter hereof. Any representation, promise, or condition not explicitly set forth in these License Terms shall not be binding on either party.
HP Software License HP Software License Terms 58 Appendix A
