HP-UX Host Intrusion Detection System Release 4.
Legal Notices Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 Announcement.........................................................................................................................13 What is HP-UX HIDS.........................................................................................................13 Compatibility with Previous Releases................................................................................13 Compatibility with Other Products.............................................................................
Unexpected Behavior by idsagent when report, resync, or tune Command is Executed...................................................................................................................25 The system DSP Fails to Properly Handle Corrupted w/btmp File........................25 SSH does not Perform a Clean Exit after idsagent is Started...................................25 Agents and Kernel Parameters................................................................................
Attention.............................................................................................................................45 LICENSE ISSUES...........................................................................................................45 OpenSSL License...........................................................................................................45 Original SSLeay License................................................................................................
List of Figures 1-1 Error Message When an Incorrectly-formatted Schedule is Activated Using the GUI System Manager..........................................................................................................
List of Tables 1-1 2-1 2-2 2-3 2-4 2-5 2-6 HP-UX HIDS Product Compatibility..........................................................................14 Filesets of HIDS...........................................................................................................29 Software to Install........................................................................................................29 Software Depots............................................................................................
List of Examples 1-1 1-2 Invalid Modification - Scenario 1................................................................................22 Invalid Modification - Scenario 2................................................................................
1 Announcement The HP-UX Host Intrusion Detection System Release 4.1 Release Notes describes major new features, enhancements, fixes, limitations, and known issues for Host Intrusion Detection System (HIDS) Release 4.1. What is HP-UX HIDS HP-UX HIDS is a host-based HP-UX security product for HP computers running HP-UX 11i. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts.
NOTE: HP-UX HIDS 4.1 is not backward compatible with Release 1.0 and Release 2.0, Release 2.1, and Release 2.2 (collectively referred to as 2.x). Release 1.0 and 2.x are obsolete. Compatibility with Other Products HP-UX HIDS is not compatible with all HP software products; see Table 1-1 for the list of products that are supported. Do not run HP-UX HIDS on systems that are running unsupported products (or vice versa).
• Continuously examines ongoing activity on a system and seeks out patterns that might suggest security breaches or misuse due to the exploitation of certain vulnerabilities: Vulnerability: Unauthorized File Modification Monitors: Critical system and application programs and configuration files System and application log files File additions and deletion Critical files made world writable Privileged “setuid” programs created Files modified by non-owners Vulnerability: Monitors: Vulnerability: Monitors: Vul
Manpages After installation, you can access the following manpages online using the man command. Before accessing these manpages, add /opt/ids/share/man to your MANPATH environment variable as follows: export MANPATH=/opt/ids/share/man:$MANPATH Directory Manpages /opt/ids/share/man/man1m • • • • • • • • • /opt/ids/share/man/man5 ids.
IDS Mailing List To receive the latest news about HP-UX HIDS, send an email message to majordomo@hpuxmail.cup.hp.com. Include only the following line in the body of the message: subscribe ids9000-news NOTE: The term ids9000 refers to the previous name of the product. This address is for subscription requests only. Do not send product questions or other inquiries.
NOTE: Support for Release 2.x of HP-UX HIDS was discontinued on March 31, 2007. HP recommends that all customers using HP-UX HIDS Release 2.x upgrade to Release 4.1. To know more about discontinuance, see http://www.hp.com/softwarereleases/releases-media2/discon/index.htm. New and Changed Features HP-UX HIDS Release 4.
Known Problems, Limitations, and Fixes For a current and complete list of HP-UX HIDS problems and their fixes, refer to the Technical Knowledge Database on the HP IT Resource Center Websites: • • http://us-support.external.hp.com for Americas/Asia-Pacific customers http://europe-support.external.hp.com for European customers The Technical Knowledge Database is available to customers with support contracts.
Workaround Modify the following line in /etc/opt/ids/ids.
Workaround Use the grep command to locate any instances of the TEMPLATE pattern. Schedules containing the TEMPLATE pattern are in the incorrect (expanded) format and must be migrated (using the migrator tool) to an HIDS v4.1 compatible format. IMPORTANT: The GUI System Manager must be closed before running the migrator tool or before manually editing a Surveillance Schedule or Group in a text editor.
System Manager is restarted and attempts to load the schedules. An error dialog as shown in Figure 1-1 (page 20) appears if there are incorrectly formatted template property values when the GUI System Manager is started. If a Surveillance Group is not successfully parsed when the GUI System Manager is started, the group is removed from the schedule and the group will not appear in the Schedule Manager window.
IMPORTANT: The GUI System Manager must be closed before directly editing a Surveillance Schedule or Group in a text editor. Otherwise, changes made using an editor will be overwritten by the GUI System Manager when it exits. TIP: HP recommends that administrators backup copies of Surveillance Schedules and Groups files periodically in case they need to be restored. Incorrectly Formatted raw Reports Sent as an Email Reports in raw format that are generated in /var/opt/ids/reports are formatted correctly.
WARNING: Invalid hostname [rt-date] specified. Skipping.... ERROR: No valid agent hostnames entered. • After an idsadmin tune or report command is executed, and if idsadmin had established a connection with an agent before the tune or report command was invoked, idsadmin no longer has a connection to that agent. A status command will restablish a connection to that agent.
#AGGREGATION 0 # 0(1) to turn alert aggregation off(on). #SUPPRESSION_REPORT 0 # 0(1) to turn reporting of suppressed alerts off(on). # # these flags overrides flags in schedule file [END] Unexpected Behavior by idsagent when report, resync, or tune Command is Executed If the /var/opt/ids/gui/logs/{agent}_alert.log file is corrupted, the report, resync, or tune commands may behave unexpectedly.
are no longer being dropped, respectively. For more information see Appendix E, “The Agent Configuration File,” in the Host Intrusion Detection System Administrator’s Guide. The System Manager on PA-RISC 1.1 Systems The System Manager should be run with J2SE 5.0 (aka Java 1.5.x). For PA-RISC 1.1 systems, however, Java 1.5.x is not supported; therefore, the System Manager can only be run with Java 1.4.x on PA-RISC 1.1 systems. For the most part, the System Manager will behave correctly using Java 1.4.
• • • • • • 4.1, administrators can monitor files with a # character in their pathname or filename by escaping them with a backslash. In earlier versions of HIDS, any upgrade of the IDS-ADM subproduct in the HIDS bundle does not preserve any settings in /opt/ids/bin/idsgui (for example, INTERFACE setting).
2 Installation This chapter provides information about HIDS installation. IMPORTANT: 4.1. Read this entire chapter before installing or updating to HIDS Release Introduction Release 4.1 of HIDS is available from the following sources: • • As a depot directory on an Application Release CD for 11i and on OEUR for HP-UX 11i v2 (from March 2006 onwards). As a depot file you download from the HP Software Depot Website for HP-UX 11i, beginning from January 2006.
Table 2-2 Software to Install (continued) Software Evaluation or Dual System Agent System Administration System HP-UX required kernel patches YES YES NO J2SE 5.0 YES NO YES Java 5.0 patches YES NO YES IDS-KRN YES YES NO OpenSSL YES YES YES Installation Summary The following sections provide step-by-step instructions for updating to or cold-installing HIDS Release 4.1. This section provides a summary of the tasks.
# uname -r It should display B.11.11, B.11.23, or B.11.31 respectively. • • The system must be running either HP-UX 11i v1, HP-UX 11i v2 or HP-UX 11i v3. You must be a superuser to do the installation. Administration System The system on which you plan to install the administration software must meet the following requirements: • You must have 26 MB of free disk space in /opt/ids and space for configuration files in /etc/opt/ids and log files in /var/opt/ids.
NOTE: If you are migrating schedules from release 3.x of HIDS, you must first migrate to HIDS 4.0 and use guiSchedConvert to convert them to HIDS 4.0 schedule files before migrating them to HIDS 4.1 schedules. Complete the following process to migrate HIDS 4.0 schedules to HIDS 4.1 schedules: 1. 2. Use the v4.0 idsgui to convert all the Java schedules that you want to migrate into text files. Use the Details tab in the GUI Schedule Manager to save the schedules.
Table 2-3 Software Depots Depot Contents 11i Admin+Agent Depot /var/depot/ids_11i_admin+agent • • • • For an HP-UX 11i system supporting the HIDS administration and agent software • • • • 11i Admin Depot /var/depot/ids_11i_admin For an HP-UX 11i system supporting the HIDS administration software 11i Agent Depot /var/depot/ids_11i_agent For an HP-UX 11i system supporting the HIDS agent software Required system patches Required Java patches J2SE 5.0 IDS.IDS-ADM-RUN and IDS.
NOTE: If you have installed any software updates, some of these patches may already be present on your systems. You can first install the HP-UX HIDS software and run the /opt/ids/bin/IDS_checkInstall command to check the patches that you do not need to download. If you attempt to install a patch that is already there, the swinstall command will note that fact and just install the other patches. 1. 2. 3. Log in as superuser (root) on the depot system; see “Create the Depot Directory” (page 33).
7. Copy the patches to your agent and administration depots as appropriate: a. • 11 i Agent Depot If any of your agent systems is running either HP-UX 11i v1 or HP-UX 11iv2, copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # sh -c ’for i in /var/tmp/idspatch_11i/PH*.depot; do swcopy -x enforce_dependencies=false -s $i * @ /var/depot/ids_11i_agent; done’ • 11i Admin Depot No need to copy any patches if your administration system is not running an agent. b.
Get the HP-UX HIDS Product HP-UX HIDS Release 4.1 for HP-UX 11i v1, HP-UX, 11i v2, and HP-UX 11i v3 is available from the HP Software Depot (http://software.hp.com) From the HP-UX 11i v2 and HP-UX 11i v3 System Releases Refer to the HP-UX 11i Version 2 Installation and Update Guide or HP-UX 11i Version 3 Installation and Update Guide for information on installing HIDS with a system installation or upgrade.
4. Copy the HP-UX HIDS product to your administration and agent depots, as appropriate. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # swcopy -x enforce_dependencies=false -s /var/tmp/idsprod/HPUX-HIDS_11i.depot IDS-KRN IDS.IDS -AGT-RUN IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent b.
2. Do the following: Locate the HP-UX 11i Application Release CD that contains the HP-UX HIDS product bundle and load it into your CD reader. In this procedure it is mounted on /SD_CDROM. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # # swcopy -x enforce_dependencies=false -s /SD_CDROM HPUX-HIDS.IDS-KRN HPUX-HIDS.IDS.IDS-AGT-RUN HPUX-HIDS.IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent b.
Get Patches for Java 1. 2. 3. Log in as superuser (root) on the depot system. See “Create the Depot Directory” (page 33). Create a directory in which you can save the patches and make a depot. This procedure uses /var/tmp/javapatch. Open the HP Java Website: http://www.hp.com/go/java, 4. 5. 6. Click on the patches link. Take note of the patches that you need, based on your administration system. Open the HP Support Website: http://itrc.hp.com, 7. Click on individual patches.
2. Open the HP Java Website: http://www.hp.com/go/java. 3. 4. 5. 6. 7. Select the J2SE JDK, JRE, and runtime plug-in for 5.0.xx link for the appropriate platform (Itanium or PA-RISC). Click on downloads. Download JDK or JRE. JRE is sufficient and is a smaller depot. Using the instructions on the Website, download the software, for example, to /var/tmp/jre15_15001_1111.depot for 11i v1. Transfer the software to the administration depot using one of the following steps: a.
4. Transfer the software to the depot using one of the following steps: a. • 11i Agent Depot Copy the OpenSSL software into the ids_11i_agent depot: # swcopy -x enforce_dependencies=false -s /var/tmp/openssl.depot * @ /var/depot/ids_11i_agent • 11i Admin Depot If your administration system is not running an agent, copy the OpenSSL software into the ids_11i_admin depot: # swcopy -x enforce_dependencies=false -s /var/tmp/openssl.depot * @ /var/depot/ids_11i_admin b.
3. On your administration system, install one of the admin software depots described in “Making Depots” (page 32), as follows: a. • 11i Admin Depot Install the ids_11i_admin depot (a reboot may occur): # swinstall -x autoreboot=true -s depotsys: /var/depot/ids_11i_admin * b.
Will Installing HP-UX HIDS Release 4.1 Reboot My Agent System? The installation scripts for HP-UX HIDS try to avoid unnecessary system reboots. However, in some circumstances, a system reboot might be required. Those circumstances are (in order of priority): 1. 2. 3. If you choose the Reinstall Filesets option in the graphical interface to swinstall, all HIDS filesets will be installed, and a system reboot will occur.
of Host Intrusion Detection System Administrator’s Guide, Software Release 4.1. The following is an annotated list of some of the sections in chapter 2 of that guide. Required Before you can run HP-UX HIDS, you must complete the configuration step described in the section "Setting Up the HP-UX HIDS Secure Communications” in the Host Intrusion Detection System Administrator’s Guide.
A HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
* 3. All advertising materials mentioning features or use of * this software must display the following acknowledgment: * "This product includes software developed by the OpenSSL * Project for use in the OpenSSL Toolkit. * (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must * not be used to endorse or promote products derived from * this software without prior written permission. For written * permission, please contact openssl-core@openssl.org. * * 5.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
* changed. i.e. this code cannot simply be copied and put * under another distribution licence [including the GNU * Public Licence.] */ HP Software License Terms The following License Terms govern your use of the accompanying Software. License Grant. HP grants you a license to Use one copy of the Software. "Use" means storing, loading, installing, executing or displaying the Software. You may not modify the Software or disable any licensing or control features of the Software.
(Oct 1988), DFARS 252.211-7015 (May 1991) or DFARS 252.227-7014 (Jun 1995), as a "commercial item" as defined in FAR 2.101(a), or as "Restricted computer software" as defined in FAR 52.227-19 (Jun 1987) (or any equivalent agency regulation or contract clause), whichever is applicable. You have only those rights provided for such Software and any accompanying documentation by the applicable FAR or DFARS clause or the HP standard software agreement for the product involved. Disclaimer.
