HP-UX Host Intrusion Detection System Release 4.1 Release Notes for HP-UX 11i v1 | HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

HP-UX Host Intrusion Detection System

Release 4.1 Release Notes

HP-UX 11i v1, HP-UX 11i v2

HP Part Number: 5992-2145

Published: July 2007

Summary of content (51 pages)

PAGE 1
HP-UX Host Intrusion Detection System Release 4.
PAGE 2
Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Table of Contents 1 Announcement.........................................................................................................................13 What is HP-UX HIDS.........................................................................................................13 Compatibility with Previous Releases................................................................................13 Compatibility with Other Products.............................................................................
PAGE 4
SSH does not Perform a Clean Exit after idsagent is Started...................................25 Agents and Kernel Parameters................................................................................25 Dropped Kernel Audit Records...............................................................................25 The System Manager on PA-RISC 1.1 Systems........................................................25 Time Units Cannot be Specified for Template Properties in Schedule Manager....
PAGE 5
A HP Software License.................................................................................................................47 Attention.............................................................................................................................47 LICENSE ISSUES...........................................................................................................47 OpenSSL License..................................................................................................
PAGE 6
PAGE 7
List of Figures 1-1 Error Message When an Incorrectly-formatted Schedule is Activated Using the GUI System Manager..........................................................................................................
PAGE 8
PAGE 9
List of Tables 1-1 1-2 1-3 2-1 2-2 2-3 2-4 2-5 2-6 HP-UX HIDS Product Compatibility..........................................................................14 Availability of HP-UX HIDS Manuals........................................................................15 Availability of HP-UX HIDS Manpages......................................................................16 Filesets of HIDS...........................................................................................................
PAGE 10
PAGE 11
List of Examples 1-1 1-2 Invalid Modification - Scenario 1................................................................................22 Invalid Modification - Scenario 2................................................................................
PAGE 12
PAGE 13
1 Announcement This document describes major new features, enhancements, fixes, limitations, and known issues for Host Intrusion Detection System (HIDS) Release 4.1. What is HP-UX HIDS HP-UX HIDS is a host-based HP-UX security product for HP systems running HP-UX 11i v1 or HP-UX 11i v2. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts. Many types of attacks can bypass network-based detection systems.
PAGE 14
Table 1-1 HP-UX HIDS Product Compatibility Product Supported? HP-UX 11i v2 Yes HP-UX 11i v1.6 Yes HP-UX 11i v1.5 No HP-UX 11i v1 Yes HP-UX 11.0 No NIS, NIS+ Yes OpenView Yes ServiceGuard Not tested Third-party Event Monitoring Service (EMS) Not tested Trusted Mode operation Yes Virtual Vault No Localization The HP-UX HIDS software and documentation are not localized in non-English languages.
PAGE 15
Files modified by non-owners Vulnerability: Monitors: Vulnerability: Monitors: Vulnerability: Monitors: • • Poorly written privileged programs Buffer overflows and Race conditions Weak password or unauthorized access Logins/logouts Password guessing Failed logins and failed su attempts Complements network-based security solutions and bolsters the overall security of the computing infrastructure.
PAGE 16
Table 1-3 Availability of HP-UX HIDS Manpages Directory Manpages /opt/ids/share/man/man1m • • • • • • • • • /opt/ids/share/man/man5 ids.cf( 5) IDS_checkAdminCert( 1M) IDS_checkAgentCert( 1M) IDS_checkInstall( 1M) IDS_genAdminKeys( 1M) IDS_genAgentCerts( 1M) IDS_importAgentKeys( 1M) idsadmin( 1M) idsagent( 1M) idsgui( 1M) HP OpenView SMART Plug-In The OVO HPUX_HIDS-SPI is certified by HP for OVO V5.x as well as V6.x, and is known to work with OVO V7.1.
PAGE 17
IDS Mailing List To receive the latest news about HP-UX HIDS, send an email message to majordomo@hpuxmail.cup.hp.com. Include only the following line in the body of the message: subscribe ids9000-news NOTE: The term ids9000 refers to the previous name of the product. This address is for subscription requests only. Do not send product questions or other inquiries.
PAGE 18
NOTE: Support for Release 2.x of HP-UX HIDS was discontinued on March 31, 2007. HP recommends that all customers using HP-UX HIDS v2.x upgrade to HIDS v4.1. To know more about discontinuance, see http://www.hp.com/softwarereleases/releases-media2/discon/index.htm. New and Changed Features HP-UX HIDS Release 4.
PAGE 19
Known Problems, Limitations, and Fixes For a current and complete list of HP-UX HIDS problems and their fixes, see the Technical Knowledge Database on the HP IT Resource Center websites: • • http://us-support.external.hp.com for Americas/Asia-Pacific customers http://europe-support.external.hp.com for European customers The Technical Knowledge Database is available to customers with support contracts. Clarifications Perform Updates Instead of Cold Reinstalls HP-UX HIDS is designed to support updates.
PAGE 20
error dialog like the one shown in Figure 1-1 will appear and the schedule will not appear in the GUI System Manager or Schedule Manager windows. Figure 1-1 Error Message When an Incorrectly-formatted Schedule is Activated Using the GUI System Manager Likewise, a subsequent attempt to activate (or tune) a schedule in a temporary format or a pre-V4.
PAGE 21
ENDTEMPLATE TEMPLATE world_writable ENDTEMPLATE TEMPLATE non_owned ENDTEMPLATE TEMPLATE login_logout ENDTEMPLATE TEMPLATE failed_login ENDTEMPLATE TEMPLATE failed_su ENDTEMPLATE > /opt/ids/bin/migrator -i FileAndLoginMonitoringAlwaysOn.txt INFO: : Attempting to parse schedule file... INFO : Successfully parsed schedule file (FileAndLoginMonitoringAlwaysOn.txt). INFO : The schedule and group(s) will be created in (/etc/opt/ids/schedules) and (/etc/opt/ids/schedules/groups) respectively.
PAGE 22
Example 1-1 Invalid Modification - Scenario 1 In this example, the GUI Schedule Manager allows the administrator to enter an unequal number of pathnames_X and programs_X pathname groups: pathnames_1 | file1 & file 2 | file3 | file4 programs_1 | prog1 | prog2 However, the administrator will not be able to activate the schedule as there is no corresponding program for file4.
PAGE 23
Special Characters not Supported When Specifying Filters Using the tune Command The pound (#) and pipe (|) characters are currently not supported for specifying filters when using the tune command. Use of these characters can cause parsing errors. The idsadmin Command Does not Parse Schedules Whose Property Lines Exceed 65535 Characters In HIDS v4.1, if a schedule has a property line exceeding 65535 characters, idsadmin or idsagent does not parse the schedule but logs an error message.
PAGE 24
The Migrator Tool does not Update suppression_targets_to_ignore properly When migrating schedules from 4.0, the migrator tool does not escape the . character present in the pathname of the default files (for example, .rhosts) for which alerts are not suppressed. After migration, you must manually insert the \ character if you do not want to suppress the alerts for these files. Limitation While Using the ids.cf File for Configuring Duplicate Alert Suppression In the /etc/opt/ids/ids.
PAGE 25
SSH does not Perform a Clean Exit after idsagent is Started After starting idsagent from an ssh login, logging out of the agent system results in the ssh session hanging indefinitely. As a workaround, log in by entering: ssh -l root /usr/dt/bin/dtterm Then, type in the /sbin/init.d/idsagent start commands interactively.
PAGE 26
in minutes (for example, the fail_interval property for the Repeated Failed su commands template). Schedules that Contain Username Template Values Cannot be run by Release 3.x Agents Starting with HIDS 4.0, user names and user IDs can be specified for user template properties, such as users_to_monitor and priv_user_list. HIDS v3.x supports only user IDs values for these user template properties; therefore, schedules that contain user names instead of user IDs cannot be run by v3.x agents.
PAGE 27
• domain names that are 32 characters or longer. The limitation is addressed in this release. The idsadmin command supports new command-line options for stopping Surveillance Schedules, getting agent status, halting agents, and specifying multiple agents to operate on. The following additional modification is made in this release of HIDS: • If a home directory for user ids exists in the default base directory for the system (Ex. /home) when HIDS Release 4.
PAGE 28
PAGE 29
2 Installation This chapter provides information about HIDS installation. IMPORTANT: Read this entire chapter before installing or upgrading to HIDS v4.1. Introduction Release 4.1 of HIDS is available from the following sources: • • As a depot directory on an Application Release CD for HP–UX 11i v1 and on OEUR for HP-UX 11i v2 (from March 2006 onwards). As a depot file, you can download from the HP Software Depot website for HP-UX 11i, beginning from January 2006.
PAGE 30
Table 2-2 Software to Install (continued) Software Evaluation or Dual System Agent System Administration System HP-UX required kernel patches YES YES NO J2SE 5.0 YES NO YES Java 5.0 patches YES NO YES IDS-KRN YES YES NO OpenSSL YES YES YES Installation Summary The following sections describe how to update or cold-install HIDS v4.1. This section provides a summary of the tasks.
PAGE 31
Administration and Agent Systems Each administration and agent system must meet the following requirements: • The administration and agent system must be running either HP-UX 11i v1 or HP–UX 11i v2. To check the version of the operating system, enter the following command: # uname -r It displays B.11.11, or B.11.23 respectively. • • The system must be running either HP-UX 11i v1 or HP-UX 11i v2. You must be a superuser to do the installation.
PAGE 32
Migrating Schedules from Older Versions of HIDS Starting with HIDS v4.1, the GUI System Manager stores schedules in text format instead of Java serialized objects. Pre-v4.1 schedules stored in Java serialized objects must be converted to text format to allow the v4.1 GUI and CLUI to manage and activate them. Migrating Schedules from HIDS v3.x to HIDS v4.1 You can use one of the following methods to migrate schedules from HIDS v3.x to HIDS v4.1: • Migrate schedules to HIDS v4.
PAGE 33
NOTE: You can skip this step if there are no occurrences of priv_uid_list in any of the schedules. TIP: After this step and before migrating to HIDS v4.1 in the next step, it is recommended as a precautionary measure that the schedules in /var/opt/ids/gui/logs/.txt are copied to another system in case they need to be recovered for any reason. 5. 6. 7. Upgrade the administration system to HIDS v4.1. Log in as user ids.
PAGE 34
IMPORTANT: For systems that do not currently have any version of HP-UX HIDS installed, HP recommends that you make a full backup of all administration and agent systems before you install HP-UX HIDS. Installation on agent systems requires a kernel rebuild (automatic) and reboot. Making Depots HP recommends that administrators gather the various pieces of software into depots that you can use with the swinstall command. These instructions tell you how to prepare three combination depots.
PAGE 35
1. 2. Log in as superuser (root) on a system where you can build a software depot. The current or intended HP-UX HIDS administration system is a good choice. If the base directory does not exist, create the base directory for the depots, as follows: # mkdir /var/depot Getting Patches for HP-UX 11i v1 and 11i v2 Perform this procedure only on agent systems running either HP-UX 11i v1 (PA-RISC) or 11i v2 (PA-RISC/Itanium-based).
PAGE 36
# sh -c ’for i in /var/tmp/idspatch_11i/PH*; do sh $i; done’ 7. Copy the patches to your agent and administration depots as appropriate: a. • 11 i Agent Depot If any of your agent systems is running either HP-UX 11i v1 or HP-UX 11iv2, copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # sh -c ’for i in /var/tmp/idspatch_11i/PH*.
PAGE 37
Get the HP-UX HIDS Product HP-UX HIDS Release 4.1 for HP-UX 11i v1 and HP-UX, 11i v2 is available from the HP Software Depot (http://software.hp.com) From the HP-UX 11i v2 System Release Refer to the HP-UX 11i Version 2 Installation and Update Guide for information on installing HIDS with a system installation or upgrade. If the system is already installed, you can use the method described in “From an Application Release CD ” (page 38) to complete the installation. From the HP Software Depot 1. 2.
PAGE 38
4. Copy the HP-UX HIDS product to your administration and agent depots, as appropriate. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # swcopy -x enforce_dependencies=false -s /var/tmp/idsprod/HPUX-HIDS_11i.depot IDS-KRN IDS.IDS -AGT-RUN IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent b.
PAGE 39
2. Do the following: Locate the HP-UX 11i Application Release CD that contains the HP-UX HIDS product bundle and load it into your CD reader. In this procedure it is mounted on /SD_CDROM. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # # swcopy -x enforce_dependencies=false -s /SD_CDROM HPUX-HIDS.IDS-KRN HPUX-HIDS.IDS.IDS-AGT-RUN HPUX-HIDS.IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent b.
PAGE 40
Get Patches for Java 1. 2. 3. Log in as superuser (root) on the depot system. See “Creating the Depot Directory” (page 34). Create a directory in which you can save the patches and make a depot. This procedure uses /var/tmp/javapatch. Open the HP Java Website: http://www.hp.com/go/java, 4. 5. 6. Click on the patches link. Take note of the patches that you need, based on your administration system. Open the HP Support Website: http://itrc.hp.com, 7. Click on individual patches.
PAGE 41
2. Open the HP Java Website: http://www.hp.com/go/java. 3. 4. 5. 6. 7. Select the J2SE JDK, JRE, and runtime plug-in for 5.0.xx link for the appropriate platform (Itanium or PA-RISC). Click on downloads. Download JDK or JRE. JRE is sufficient and is a smaller depot. Using the instructions on the Website, download the software, for example, to /var/tmp/jre15_15001_1111.depot for 11i v1. Transfer the software to the administration depot using one of the following steps: a.
PAGE 42
4. Transfer the software to the depot using one of the following steps: a. • 11i Agent Depot Copy the OpenSSL software into the ids_11i_agent depot: # swcopy -x enforce_dependencies=false -s /var/tmp/openssl.depot * @ /var/depot/ids_11i_agent • 11i Admin Depot If your administration system is not running an agent, copy the OpenSSL software into the ids_11i_admin depot: # swcopy -x enforce_dependencies=false -s /var/tmp/openssl.depot * @ /var/depot/ids_11i_admin b.
PAGE 43
3. On your administration system, install one of the admin software depots described in “Making Depots” (page 34), as follows: a. • 11i Admin Depot Install the ids_11i_admin depot (a reboot may occur): # swinstall -x autoreboot=true -s depotsys: /var/depot/ids_11i_admin * b.
PAGE 44
Will Installing HP-UX HIDS Release 4.1 Reboot My Agent System? The installation scripts for HP-UX HIDS try to avoid unnecessary system reboots. However, in some circumstances, a system reboot might be required. Those circumstances are (in order of priority): 1. 2. 3. If you choose the Reinstall Filesets option in the graphical interface to swinstall, all HIDS filesets will be installed, and a system reboot will occur.
PAGE 45
of Host Intrusion Detection System Administrator’s Guide, Software Release 4.1. The following is an annotated list of some of the sections in chapter 2 of that guide. Required Before you can run HP-UX HIDS, you must complete the configuration step described in the section "Setting Up the HP-UX HIDS Secure Communications” in the Host Intrusion Detection System Administrator’s Guide.
PAGE 46
PAGE 47
A HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
PAGE 48
* 3. All advertising materials mentioning features or use of * this software must display the following acknowledgment: * "This product includes software developed by the OpenSSL * Project for use in the OpenSSL Toolkit. * (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must * not be used to endorse or promote products derived from * this software without prior written permission. For written * permission, please contact openssl-core@openssl.org. * * 5.
PAGE 49
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
PAGE 50
* changed. i.e. this code cannot simply be copied and put * under another distribution licence [including the GNU * Public Licence.] */ HP Software License Terms The following License Terms govern your use of the accompanying Software. License Grant. HP grants you a license to Use one copy of the Software. "Use" means storing, loading, installing, executing or displaying the Software. You may not modify the Software or disable any licensing or control features of the Software.
PAGE 51
(Oct 1988), DFARS 252.211-7015 (May 1991) or DFARS 252.227-7014 (Jun 1995), as a "commercial item" as defined in FAR 2.101(a), or as "Restricted computer software" as defined in FAR 52.227-19 (Jun 1987) (or any equivalent agency regulation or contract clause), whichever is applicable. You have only those rights provided for such Software and any accompanying documentation by the applicable FAR or DFARS clause or the HP standard software agreement for the product involved. Disclaimer.