HP-UX Host Intrusion Detection System Version 4.
Legal Notices Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document...................................................................................................................17 Intended Audience.............................................................................................................17 New and Changed Information in This Edition.................................................................17 Publishing History..................................................................................................
Changing the IP Address of an Administration System...............................................45 Configuring a Loopback System........................................................................................46 Configuring Ports...............................................................................................................47 Working with NIS..........................................................................................................47 Working with Firewalls.............
Closing the Schedule Manager Screen..........................................................................72 Configuring Surveillance Schedules...................................................................................73 Creating a New Surveillance Schedule.........................................................................73 Copying a Surveillance Schedule..................................................................................74 Modifying a Surveillance Schedule...................
Adding New Hosts from /etc/hosts.............................................................................103 Adding New Hosts from a File...................................................................................104 Rules for Host Lists Files.............................................................................................105 Modifying a Host..............................................................................................................105 Deleting a Host................
A Templates and Alerts..............................................................................................................135 Alert Summary..................................................................................................................135 UNIX Regular Expressions ..............................................................................................138 Limitations..............................................................................................................
Security Checks...........................................................................................................193 Programming Notes....................................................................................................193 Programming Guidelines.................................................................................................201 Perl Versus Shell Response Scripts..............................................................................
Generating Alert Reports Using the idsadmin Command...............................................227 The idsadmin Command Reporting Options..............................................................228 Using the idsadmin Command to Generate Reports..................................................231 Benefits of Generating Reports in raw Format......................................................236 D The Agent Configuration File..........................................................................
Alerts are not being displayed in the alert browser....................................................272 Buffer overflow triggers false positives.......................................................................273 Duplicate alerts appear in System Manager...............................................................273 Getting several aggregated alerts for the same process..............................................273 GUI runs out of memory after receiving around 19,000 alerts...................
List of Figures 1-1 5-1 5-2 5-3 5-4 5-5 5-6 5-7 5-8 5-9 5-10 5-11 5-12 5-13 5-14 5-15 5-16 5-17 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 6-9 6-10 6-11 7-1 7-2 7-3 7-4 7-5 8-1 8-2 8-3 8-4 C-1 C-2 C-3 HP-UX HIDS Components..........................................................................................29 Schedule Manager Screen...........................................................................................72 New Surveillance Schedule Dialog..........................................................
C-4 12 Screenshot of the Generated Report in .raw Format.................................................
List of Tables 1 2-1 2-2 4-1 4-2 5-1 8-1 8-2 8-3 8-4 A-1 A-2 A-3 A-4 A-5 A-6 A-7 A-8 A-9 A-10 A-11 A-12 A-13 A-14 A-15 A-16 A-17 A-18 A-19 A-20 A-21 A-22 A-23 A-24 A-25 B-1 B-2 B-3 B-4 HP-UX 11i Releases.....................................................................................................20 IDS Scripts Used to Set Up Secure Communications.................................................34 Runtime File Permissions................................................................................
B-5 B-6 B-7 C-1 C-2 D-1 D-2 D-3 D-4 E-1 F-1 F-2 14 Additional Arguments Passed to Response Programs for su Alerts........................199 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts.........................................................................................................................199 Environment Variables Set for Response Programs..................................................201 The tune Command Options....................................
List of Examples B-1 B-2 B-3 B-4 B-5 B-6 B-7 B-8 C-1 C-2 C-3 C-4 C-5 C-6 C-7 C-8 C-9 C-10 C-11 E-1 Response Program.....................................................................................................208 Sending Alerts Through Email..................................................................................209 Storing Alerts in Log Files.........................................................................................210 Disabling a User Account.............................
About This Document This document describes how to configure and administer the HP-UX HIDS software on HP-UX servers and workstations running HP-UX 11i v1, HP-UX 11i v2, or HP-UX 11i v3. The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
Document Organization The HP-UX HIDS System Administrator's Guide is organized as follows: Chapter 1 Introduction: Introduces HP-UX HIDS and provides information about its role in enhancing host-level security within a network. Chapter 2 Configuring HP-UX HIDS: Describes how to configure HP-UX HIDS System Manager and Agent software.
Appendix G Appendix H Troubleshooting: Describes how to troubleshoot problems on the agent and administrative systems. HP Software License: Lists the terms and conditions for using HIDS and OpenSSL. Typographic Conventions This document uses the following typographical conventions: audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the section in the HP-UX Reference. On the web and on the Instant Information CD, it may be a link to the manpage itself.
Table 1 HP-UX 11i Releases Release Identifier Release Name Supported Processor Architecture B.11.11 HP-UX 11i v1 PA-RISC B.11.23 HP-UX 11i v2 PA-RISC and Intel® Itanium® B.11.31 HP-UX 11i v3 PA-RISC and Intel® Itanium® Related Information Additional information about HIDS can be found within http://www.docs.hp.com in the Internet and Security Solutions collection. The OpenView Operations Smart Plug-In for HP-UX Host IDS Administrators and Users Guide is located at: http://openview.hp.
1 Introduction This chapter introduces the HP-UX Host Intrusion Detection System (HP-UX HIDS) software, an HP-UX product that enhances the local host-level security within your network.
cost to a company can be very high —lost sales or miscommunication with customers, for example. • Loss of privacy Privacy is a serious security concern in the medical, insurance, and banking fields. If a computer system is broken into by an external attacker, sensitive data may be obtained that can leave a company liable to legal action because of a lack of due diligence to protect sensitive data.
Strong Security with a Weak Link Vulnerability of a system when you download executables from the web depends on its weakest link. For example, a router vendor shipped boxes with a default password that was easy to guess. Most administrators forgot to change the password. Despite investing many hours in correctly configuring the routers for secure operation, their security can be defeated in seconds by an attacker who knew the password.
Firewalls A firewall is a system that is placed between two networks to control what traffic can pass between those networks. A firewall is usually placed between the Internet and your company intranet. It can be viewed as a useful point of policy enforcement through which you can decide what network traffic is and is not permitted to pass in and out of your organization.
Security Auditing Tools A security auditing tool probes systems and networks for potential vulnerabilities that attackers can exploit, generates a report identifying holes and recommends fixes. Whenever the system administrator finds the holes, he or she must quickly patch them before they are exploited. If a security audit tool used is executed or run regularly, it is a valuable tool to handle security threats or attacks.
The amount of information that flows through a typical corporate intranet and the level of activity on most corporate servers make it impossible for any one person to continually monitor them manually. Traditional network management and system monitoring tools do not address the issue of helping to ensure that systems are not misused and abused. Nor can they help detect theft of a company’s critical data from important servers.
being monitored. HP provides a customized program for OpenView Operations (OVO) integration; you can also create your own. HP-UX HIDS Limitations HP-UX HIDS cannot solve all security-related problems. Following are the limitations of HP-UX HIDS: • • • HP-UX HIDS is not a replacement for comprehensive security policies and procedures. You must define and implement security policies and procedures, and configure HP-UX HIDS to enforce them.
• • Secure network communications link HP-UX HIDS uses an encrypted network link as a means of stopping an attacker from observing the traffic between its components, and possibly sending false data to disrupt its operations. Response capability Alerts are sent to the System Manager. In addition, alerts can be processed by response programs that you create or install. For more definitions, see “Glossary of HP-UX HIDS Terms” (page 30). Figure 1-1 shows a graphic representation of these components.
Figure 1-1 HP-UX HIDS Components HP-UX HIDS monitors system activity by analyzing data from the following file sources: • Kernel audit data • System log files HP-UX HIDS analyzes this information against its configured attack scenarios. It then identifies possible intrusions and misuse immediately following any suspected activity. The suspected activity simultaneously communicates an alert and detailed information about the potential attack to the HP-UX HIDS System Manager.
Surveillance Groups A surveillance group typically consists of related detection templates; for example, those related to file system intrusions or web server attacks. Each surveillance group provides protection against one or more types of intrusion. Surveillance Schedules A surveillance group is scheduled to run regularly on one or more of the host systems it is protecting, on one or more days of the week, and at one or more times.
done over a period of time, aggregated alerts by definition are issued after a delay, unlike real time alerts that are issued as soon as they are generated. Alert An alert is also referred to as a notification. A message sent by HP-UX HIDS warning of a suspected or actual intrusion, and usually calling for some sort of action in response. Typically, the alert is sent to a display window on the management component and logged as an entry to a log file.
Kernel The core of the operating system. It is the compiled code responsible for managing the system’s resources, such as memory, file system, and input and output. Managed host A host that is actively managed by the HIDS Administrative GUI or CLUI. Open View Operations (OVO) A distributed client and server software solution designed to detect, solve, and prevent problems occurring in networks, systems, and applications in any enterprise.
2 Configuring HP-UX HIDS This chapter describes how to configure HP-UX HIDS System Manager and the Agent software. For information on installing HIDS, see HP-UX HIDS Release 4.1 Release Notes.
• “Enabling More than 23 Agents (Thread Limits)” (page 48) If you have many agent systems, you may need to increase the thread limit on the administration system. • “Enabling More than 20 Inbound Requests” (page 49) Setting Up HP-UX HIDS Secure Communications HP-UX HIDS provides a secure communication environment between the System Manager and the agent processes through the Secure Sockets Layer (SSL) protocol.
1. Create the X.509 Certificates To create a certificate for the HP-UX HIDS System Manager process, first generate the ids user locally on the HP-UX HIDS administration system. Only then can the certificates for each of the agent nodes be signed by the HP-UX HIDS administration system. The administration system holds the Root Certification Authority (Root CA) that endorses all other certificates. a. On the administration system, log in as follows: $su - ids b.
Root CA and for * the HP-UX Host IDS System Manager. * Certificate public keys are valid for 700 days and are * 1024 bits in size.
* 'IDS_genAgentCerts'.
d. Generate the keys for each agent, one bundle of keys per agent system, as follows: $IDS_genAgentCerts In this process, each host name or IP address you enter is checked for validity, using the nslookup command. For more information, see nslookup( 1) . If you enter a host name and nslookup returns a single IP address, the host name and IP address are saved in a temporary file and the key bundle is created.
is /var/opt/ids/tmp/myhost2.tar.Z Next hostname (^D to quit)? myhost3 Host name "myhost3" unknown. DNS lookup failed. Do you still wish to create a certificate [N]/Y? n Re-enter a host name (^D to quit): 15.27.43.6 Generating key pair and certificate request for IDS Agent on 15.27.43.6.... Signing certificate for IDS Agent on 15.27.43.6... Certificate package for IDS Agent on 15.27.43.6 is /var/opt/ids/tmp/15.27.43.6.tar.
NOTE: The IDS_genAdminKeys and IDS_genAgentCerts commands include options to provide alternate key lengths and alternate expiration dates for the administration and agent certificates. For more information, see IDS_genAdminKeys(1M) and IDS_genAgentCerts(1M). The default key length is 1024 bits. The default expiration is 700 days. TIP: You can automate agent certificate creation by creating a file of host names and IP addresses, one host name or IP address per line.
3. Installing the keys on each host Install the bundle of keys generated for each agent system on that system. Store the agent certificate bundle in the /var/opt/ids/tmp directory. a. Log in as follows: $su - ids b. Change directory to /opt/ids/bin, as follows: $cd /opt/ids/bin c. d. Store the key bundle in a directory, such as /var/opt/ids/tmp. Import the following key bundle: $IDS_importAgentKeys /var/opt/ids/tmp/agentsys.tar.
Configuring a Multihomed Agent System A multihomed system is a system that has multiple connections to a network. Typically, a multihomed system has more than one network interface card, each with a unique address. While the system can have only one host name, the name resolution software usually returns the IP address of one of the interfaces on the system. In such configurations, the HP-UX HIDS agent must know which interface to listen on for commands from the HP-UX HIDS administration system.
6. Remove the comment symbol (#) from the start of the line, and place the interface address selected in step 2 after the parameter name. For example, change: # IDS_LISTEN_IFACE to IDS_LISTEN_IFACE 1.2.3.4 7. 8. Save the modified file. If the agent is running, force the agent to reread the configuration file by sending it a HUP signal. For more information, see “Forcing Active Agent to Reread Configuration File” (page 239).
Force the HP-UX HIDS agent to reread the configuration file by sending it a HUP signal. For more information, see “Forcing Active Agent to Reread Configuration File” (page 239). Configuring a Multihomed Administration System If the HP-UX HIDS administration system software is installed on a multihomed system, the HP-UX HIDS administration system must know which interface to use to communicate with its agent systems.
6. Add your interface address selected in Step 2 after the equals sign. For example, change: INTERFACE= to INTERFACE=1.2.3.4 7. 8. 9. Save the file with your modifications. If the System Manager is running, stop and restart it. On each agent host, log in as ids, as follows: $ su - ids 10. Edit the agent configuration file, as follows: $ vi /etc/opt/ids/ids.cf 11. Locate the REMOTEHOST parameter in the [RemoteSA] section. For more information, see ids.cf(5). 12.
TIP: If your administration system is not multihomed, and if you do not plan to make it multihomed, use a hostname for the REMOTEHOST entry. You need not modify the ids.cf file even if the IP address changes in future, as long as the hostname of the administration system does not change. • Make this change in all the ids.cf files located on all the agent systems. If the ids.cf files are identical, you can choose to push a master copy of the file to all the agents.
Configuring Ports When HP-UX HIDS is first installed on the administration and agent systems, the ports HP-UX HIDS uses are configured into the /etc/services file on each system as follows: hpidsadmin hpidsagent NOTE: 2984/tcp 2985/tcp #HP-UX Host IDS admin #HP-UX Host IDS agent Comments vary from configuration to configuration. These are HP standard port numbers, registered with the Internet Assigned Number Authority (IANA).
Enabling More than 23 Agents (Thread Limits) You must ensure that the administration system provides enough threads per process to handle the maximum number of agent systems you will monitor at one time. The thread value is specified by the tunable kernel parameter max_thread_proc. You can compute its minimum value using the following formula: max_thread_proc = 2 * + 18 Where: num_agents is the number of agent systems to be monitored.
3. 4. 5. 6. 7. Select the Modify Tunable option located on the right hand side of your screen. Enter your new value in the New Setting [Expression/Value] box. Choose Modify. Your new value shows in the Pending column. Select OK to save the configuration. . If you changed the value, select View Pending Changes and reboot option located in the right hand side of the screen. Follow the steps provided by SMH.
3. To apply the new value immediately, enter the following command: # ndd -c /etc/rc.config.d/nddconf To verify that the new value is active, use the ndd -get command as described in Step 1. Restricting Permissions HP-UX HIDS files and programs are delivered with the strictest usable permissions. Only user ids is allowed any access, and the superuser (root) is not permitted to execute the programs. In addition, most files must be owned by user ids or HP-UX HIDS cannot run.
3 Getting Started with HP-UX HIDS This chapter provides an overview of the operation HP-UX HIDS and the procedures used to get the System Manager and agents up and running on the administrative and monitored systems. This chapter addresses the following topics: • “HIDS Quick Start Guide.
4. 5. 6. 7. Define the agent hosts that you want to monitor using the Host Manager screen. These are the hosts that you specified in step 1. For detailed instructions, see “Managing Hosts” (page 99) Check the status of the agents using the System Manager screen. The host names must be listed in the Monitored Hosts list and they must be listed as Available in the Status column. Select a host in the Monitored Hosts list.
Procedure 3-2 To Set up hosts and run schedules, follow these steps: 1. 2. 3. Install the agent software on the agent hosts and the System Manager software on the administration host. For more information, see the HP-UX HIDS Release 4.1 Release Notes. Create SSL certificates for the administration and agent hosts and propagate them to the host systems. For more information, see “Setting Up HP-UX HIDS Secure Communications” (page 34).
8. 9. Check the status of the agents. The host names are listed in the Monitored Hosts list. If they are not listed as Available, select them all and press the Status button. The monitored hosts will be listed as Available in the Status column. For more information, see “Getting the Status of Agent Hosts” (page 62). Activate the schedules on the agent hosts. This can be the same schedule on all hosts, a different schedule on each host, or any combination thereof. a.
• Network Node The Network Node screen displays the alerts and error messages that have been generated by an agent. Each agent is displayed on a separate screen. For more information, see Chapter 7: “Using the Network Node Screen” (page 113). • Preferences The Preferences screen enables you to specify operational parameters for the columns that will be presented on the System Manager screen, the Host Manager, the Alerts tab, and the Host Manager Errors tab.
from the Sort menu; this alternative enables you to sort by columns that are not displayed.
4 Using the System Manager Screen This chapter describes the tasks you can perform using the HP-UX HIDS System Manager screen.
Using the System Manager Screen
Starting the HP-UX HIDS System Manager The HP-UX HIDS System Manager program, idsgui, must run as user ids. Start it from the shell. To start the HP-UX HIDS System Manager, follow these steps: 1. Log in to the administration system as root. 2. Switch to ids. # su ids 3. Start the HP-UX HIDS System Manager: $/opt/ids/bin/idsgui The System Manager screen is displayed. The screen appears in about 16-20 seconds. NOTE: You can run only one instance of System Manager at a time on the administration system.
Schedules: Lists the names of the available surveillance schedules that can be downloaded to agent hosts. To select a schedule, left-click on the schedule. To view or edit the schedule double-left-click the schedule. Monitored Nodes: Lists the current monitored agent hosts. The columns displayed can be changed; for more information see Chapter 8: “Using the Preferences Screen” (page 127).
Table 4-2 Status Field Values (continued) Status Value Description Error The agent detected an error; check the error log. No Agent Available No agent was detected. Polling The System Manager is communicating with the host. Resyncing The System Manager and agent are resynchronizing. Running The schedule is running on the agent. Scheduled The schedule is waiting for its next active time block on the agent. Status Unknown The System Manager does not know the status of the agent host.
• On each agent host, perform one of the following steps: • Log in to the agent system as root and enter the following command: #/sbin/init.d/idsagent start This starts /opt/ids/bin/idsagent under user ids and activates any schedule that was retained when the agent halted. • Log in to the agent system as root, switch to user ids, and enter the command: $/opt/ids/bin/idsagent -a This starts /opt/ids/bin/idsagent under user ids and activates any schedule that was retained when the agent halted.
To get the status of agent hosts, follow these steps: 1. On the System Manager screen, in the Monitored Hosts list, select the hosts status you want to update. 2. Select one of the following options: • Click the Status button. • Choose the Actions > Status Poll menu item. • Press Shift+F7. • Right-click in the Monitored Hosts area and select Status Poll from the menu. The System Manager begins polling the selected hosts and returns an updated value in the Status field.
TIP: To avoid reloading deleted alerts, retain only the most recent alert message. The error log files are not resynchronized. If the Automatic Startup Status Poll field is disabled, you must poll the status of the agent hosts before you can resynchronize them. See “Getting the Status of Agent Hosts” (page 62). If Automatic Startup Alert Resynchronization is disabled, use the following procedure to synchronize the alerts. 1. 2.
5. 6. If the activation is successful, the Status column indicates Scheduled or Running, and the name of the downloaded surveillance schedule is displayed in the Schedule column of the selected hosts; otherwise, Error or No Agent Available is displayed in the Status column. If Error is shown for a host, view the error messages on the Network Node Error tab for the host. For more information see “Network Node Screen” (page 67) and “Errors Tab ” (page 116) then check the status.
To restart an agent, see “Starting HP-UX HIDS Agents” (page 61). To halt agents remotely from the System Manager, follow these steps: 1. On the System Manager screen, in the Monitored Hosts list, select the hosts you want to halt. 2. Perform one of the following tasks to halt the agent host: • Choose the Actions > Halt IDS Agent menu item. • Press Shift+F10. The schedules, if any, are stopped on and removed from the selected host. The agent is halted on the selected hosts.
Schedule Manager Screen The Schedule Manager screen enables you to create and modify surveillance schedules. To go to the Schedule Manager screen, follow these steps: 1. 2. On the System Manager screen (optionally) select a schedule in the Schedules panel. Perform one of the following tasks: • Choose the Edit > Schedule Manager menu item. • Press Ctrl+S. • Double-click in the Schedules panel. The Schedule Manager screen appears. For more information, see “Using the Schedule Manager Screen” (page 69).
Preferences Screen The Preferences screen enables you to choose System Manager startup options and the columns that are displayed on the System Manager and Network Node screens. To view the Preferences screen, follow these steps: • On the System Manager screen, Perform one of the following steps: • Choose the Edit > Preferences menu item. • Press Ctrl+S. The Preferences screen appears. For more information, see Chapter 8: “Using the Preferences Screen” (page 127).
5 Using the Schedule Manager Screen This chapter describes how to configure HP-UX HIDS surveillance schedules, surveillance groups, and detection templates.
Schedules and groups are saved automatically when you first create them and every time you exit from the System Manager screen. For information about the format and structure of surveillance schedules and groups, see Appendix E (page 247). The Schedule Manager screen comprises of four major parts: • • • • 70 The Configure tab, where you define surveillance schedules, groups, and template properties.
Creating a Surveillance Schedule This section describes about how to create a surveillance schedule. To create a surveillance schedule, follow these steps: 1. Create a surveillance schedule name. The schedule will contain one or more surveillance groups. For more information, see “Configuring Surveillance Schedules” (page 73).
Opening the Schedule Manager Screen This section describes about how to open the Schedule Manager screen: To open the Schedule Manager screen, follow the step given below: • On the System Manager screen, perform one of the following steps: • Choose the Edit > Schedule Manager menu option • Press Ctrl+S. • Double-click anywhere in the Schedules panel or on a schedule name The Schedule Manager screen (Figure 5-1) is displayed with the Configure tab active.
• On the Schedule Manager screen, perform one of the following steps: • Choose the File > Close menu option • Press Ctrl+C. If you have modified but not saved the current schedules, the changes are retained in memory but not saved to disk. They are automatically saved when the System Manager exits. Configuring Surveillance Schedules A surveillance schedule consists of one or more surveillance groups that you want to run on a host system during particular hours on particular days of the week.
3. To set up the new schedule, follow the procedures in “Modifying a Surveillance Schedule” (page 74). Copying a Surveillance Schedule If an existing surveillance schedule is similar to what you want to create, you can copy the old one and change the copy. To copy a surveillance schedule, follow the steps: 1. Go to the Schedule Manager screen. 2. Select the schedule you want to copy in the Schedules panel. 3. Create a name for the new surveillance schedule. a. Press the Copy button on the Schedules panel.
6. 7. 8. Specify the times and days that you want each group in the surveillance schedule to run. For more information, see “Setting Surveillance Schedule Timetables” (page 85). Select the Alert Aggregation tab. Configure alert aggregation by following the steps described under “Configuring Alert Aggregation” (page 88). When your surveillance schedule is complete, it is a good idea to save it to the disk. For more information, see “Saving a Surveillance Schedule” (page 76).
NOTE: You cannot delete any predefined schedule, distributed with HP-UX HIDS. For more information, see “Predefined Surveillance Schedules and Groups” (page 96). To delete a surveillance schedule, follow the steps: 1. On the Schedule Manager screen select a schedule in the Schedules panel. 2. Click the Delete button in the Schedules panel. This displays the Confirm Deletion dialog box. Click Yes to delete the schedule, and No to retain the schedule.
NOTE: The /etc/opt/ids/schedules/sample/groups directory contains read-only copies of the predefined surveillance groups. Users who want to revert back to the original predefined surveillance groups can manually copy them from /etc/opt/ids/schedules/sample/groups into /etc/opt/schedules/groups. Creating a New Surveillance Group To create a new surveillance group, follow the steps: 1. On the Schedule Manager screen select the Configure tab. 2.
2. 3. Select the group you want to copy in the Surveillance Groups panel. Create a name for the new surveillance group. a. Click the Copy button on the Surveillance Groups panel. This opens the Copy Surveillance Group dialog box (Figure 5-6). Figure 5-6 Copy Surveillance Group Dialog b. c. Enter a name in the input field. Valid characters are alphanumeric and underscore; the first character must be alphanumeric. Schedule group names are case-sensitive.
To rename a surveillance group, follow the steps: 1. On the Schedule Manager screen select the Configure tab. 2. Select the group in the Surveillance Groups panel. 3. Click the Rename button in the Surveillance Groups panel to open the Rename Surveillance Group dialog box (Figure 5-7). Figure 5-7 Rename Surveillance Group Dialog 4. 5. Edit the name in the input field. Valid characters are alphanumeric and underscore. The first character must be alphanumeric. Group names are case-sensitive.
Saving a Surveillance Group The newly created Surveillance Group is automatically saved when you save any schedule (“Saving a Surveillance Schedule” (page 76)) and every time you exit from the System Manager screen. Configuring Detection Templates Detection templates are the building blocks of surveillance groups. They contain configurable properties that modify template behavior during run time.
4. If the value is a single item (no brackets, for example, 20), the Edit dialog box is displayed (Figure 5-8). Figure 5-8 Edit Dialog - Edit Perform these substeps to add, modify, or delete a value: a. b. Edit the value in the text box. In general, the value cannot be null. Click OK to accept your change and Cancel to leave the value unchanged.
5. If the value is a list (zero or more values in brackets, for example, [0, 1, 5, 11]), the Edit List dialog box is displayed (Figure 5-9). Figure 5-9 Edit List Dialog Perform one of the following substeps to add, modify, or delete a value. a. To add a new value 1. Click the Add button. An Edit dialog box is displayed (Figure 5-10). Figure 5-10 Edit Dialog - Add 2. 3. b. 82 Enter a value in the text box. In general, the value cannot be null.
Figure 5-11 Edit Dialog - Edit 3. 4. c. Edit the value in the text box. In general, the value cannot be null. Click OK to accept the new value and Cancel to leave the value unchanged. To delete a current value 1. Highlight one of the values in the Edit List display. If you highlight more than one, the first one is processed. 2. Click the Delete button. The value is deleted. Lists can be empty.
• • Determine if the system is in a maintenance mode at any time. Create a surveillance schedule that is not active during maintenance time period. During initial deployment of HIDS, customize a sample surveillance schedule and run it for at least one day. After a sizable number of alerts are generated, run the tune command to determine how many alerts are generated during normal system usage.
• • Start with a single template and then see how many alerts are generated. Determine if any of these are security events, and if not, modify the template properties to filter the spurious alerts. You may find software that is behaving incorrectly, such as writing to /opt (considered a read-only file system), creating world-writable lock files (a security issue), saving temporary data in /etc (should only be for configuration data). Contact the software vendor about these programs.
Specifying When a Schedule Will Run To specify when a schedule will run, follow the steps: 1. Select the Timetable tab of the Schedule Manager screen (Figure 5-12). Figure 5-12 Schedule Manager Screen - Timetable Tab 2. 3. 4. 5. 86 Highlight the schedule name in the Schedules panel. The groups that are part of the schedule are displayed in the Selected Groups panel of the Schedule tab. In the Selected Groups panel, highlight one of the groups.
• 6. boxes in the Schedule Summary panel and you are done setting the timetable for this group. This is the default. If you select the Specified field the group will run on the chosen days and time. Continue with the next step. In the Select Days panel, choose the days the group should run. Since it is a list you can use left-click to pick a day, Shift-left-click to add in all intervening days, and Ctrl-left-click to add or remove individual days.
Configuring Alert Aggregation Alert aggregation can reduce the overall number of alerts for better manageability, while maintaining a detailed description of each potential intrusive activity. Alert aggregation is a surveillance schedule feature that, when enabled, aggregates file related alerts triggered by the same process or by multiple related processes.
human intervention. Killing an offending process or closing a client connection are examples of responses that can be automated. The response scripts in the IDS_RESPONSEDIR directory in turn, are intended primarily for reporting alerts (by email to an administrator, or to the OVO console using the HIDS OVO/SPI) for human consumption. Alert aggregation is enabled by default for all newly created and pre-canned surveillance schedules.
NOTE: When the Alert Aggregation option box is not selected, the Real Time Alerts option box is automatically selected to indicate that real-time alerts will be generated. 5. Enter the path name of a program under the Programs to Aggregate Alerts for table column to aggregate alerts triggered by a process running that program, and by the process’ descendent processes. The executable path name can be specified using regular expressions and extended regular expressions.
Guidelines for Configuring Alert Aggregation • By specifying a regular expression in an aggregation tuple that exactly matches the program’s full and resolved path name, there is no ambiguity of which program is specified for aggregating alerts triggered by a process running the program, and by any process descendents.
Configuring Duplicate Alert Suppression Duplicate Alert Suppression is a feature that suppresses duplicate alerts from being reported to the HIDS administrator console. This feature enables you to reduce the volume of the alerts reported by HIDS and eases the administration of HIDS. The reduction of alert volume in HIDS enables you to notice a true attack, and enhances the overall usability of the product.
# suppression 0 • Generate Suppression Report Select the Generate Suppression Report checkbox if you want to receive an alert that contains a summary of all the suppressed duplicate alerts for any given alert. When this checkbox is selected, an alert summarizing all the duplicate alerts for any given alert is sent to the alert.log file, the GUI, and the Response programs (located in the rt_response directory).
— — — — — — ^/etc/passwd$ ^/etc/group$ ^/stand/vmunix$ ^/stand/system$ ^/\.rhosts$ ^/etc/inetd\.conf$ These property values are specified as UNIX regular expressions (see “UNIX Regular Expressions ” (page 138)for more information). Viewing Surveillance Schedule Details You can view the source text of a surveillance schedule in the Details tab of the Schedule Manager screen. Viewing the Source of a Surveillance Schedule To view the source of a surveillance schedule, follow these steps: 1.
2. In the Schedules panel, select a schedule. The text version of the surveillance schedule is displayed. If times have not been assigned to groups in the schedule, the display will be very short. Refreshing the Details Display To refresh the display, follow the step given below: • Click on the Refresh button. Clearing the Details Display To clear the display, follow the step given below: • Click on the Clear button. This erases the text and the schedule is unaffected.
Figure 5-17 File Saved Dialog 3. Click OK to complete the process. Predefined Surveillance Schedules and Groups Table 5-1 lists the predefined surveillance schedules and surveillance groups that are supplied with the system and the detection templates that they use. All the groups use the default values for the properties of the templates. They have different timetables in different schedules. The templates, their properties, and their default values are described in detail in Appendix A (page 135).
Table 5-1 Predefined Surveillance Schedules (continued) Surveillance Schedules Surveillance Groups Detection Templates FileLoginMixture FileModificationGroup Changes to Log File Template Creation and Modification of setuid/setgid File Template Creation of World-Writable File Template Modification of Another User’s File Template Modification of files/directories Template LoginMonitoringGroup Login/Logout Template Repeated Failed Logins Template Repeated Failed su Commands Template FileModificationsWe
Table 5-1 Predefined Surveillance Schedules (continued) Surveillance Schedules Surveillance Groups Detection Templates FileModificationsWorkHours FileModificationGroup Changes to Log File Template Creation and Modification of setuid/setgid File Template Creation of World-Writable File Template Modification of Another User’s File Template Modification of files/directories Template LoginMonitoringAlwaysOn LoginMonitoringGroup Login/Logout Template Repeated Failed Logins Template Repeated Failed su Com
6 Using the Host Manager Screen This chapter describes the tasks you can perform using the Host Manager screen.
Figure 6-1 Host Manager Screen Closing the Host Manager Screen To close the Host Manager screen, complete the following steps: 1. On the Host Manager screen, choose one of the following options: • Select File > Close. • Press Ctrl+C. 2. If you have modified but not saved the current host list, the Host List Manager Modified dialog box is displayed. Select Yes to save the current list in the current file. The default host list file is /etc/opt/ids/gui/config/sentinal.hosts.
• • Add a host from a file. For more information, see “Adding New Hosts from a File” (page 104). Add a host by creating X.509 certificates and restarting the System Manager. For more information, see “Setting Up HP-UX HIDS Secure Communications” (page 34). NOTE: HP-UX HIDS uses the IP address to identify and communicate with the agent host. The host name is displayed in the Host fields and is part of the alert and error log file names.
2. Fill in the Host Name and IP Address fields. There are three ways you can do this, described in order of preference. A host name must start with a letter and contain only letters, digits, periods, underscores, and hyphens. Host names are not case sensitive. For example, xy3-z5 and xy3-z5.a32c.edu. An IP address consists of four decimal fields, each in the range 0 to 255, separated by periods. For example, 1.2.3.4. a. Host Name Enter the host name of the agent host in the Host Name field.
Click Set Host Name to display the full name of the host in the Host Name field. If the host name cannot be determined, the Add Host Error box is displayed with the message, Unknown Host Name - unable to resolve IP Address. Click OK and redo this step, making sure to enter a host name. NOTE: The IP address is the best method for adding a multihomed agent host. For more information, see “Configuring a Multihomed Agent System” (page 42). c.
The entries in the /etc/hosts file on the administration system are added to the hosts list according to “Rules for Host Lists Files” (page 105). The Monitored boxes are unchecked. Adding New Hosts from a File To add new hosts from a file, follow these steps: 1. On the Host Manager screen, perform one of the following steps: • Select Edit > Add Host > Load Hosts List File. • Press Shift+F7. The Open dialog box opens as shown in Figure 6-5.
Rules for Host Lists Files Host lists files, including /etc/hosts, are expected to be in the format described in hosts( 4). They are processed by HP-UX HIDS, as follows: • • • • Lines with a pound sign (#) in column 1 are ignored. Pound signs found elsewhere in the line are treated as ordinary characters. Blank lines are ignored. The first word in a line is used as the IP address. Duplicate IP addresses are ignored. The second word in a line is used as the host name.
NOTE: When you modify a host entry’s host name, the old alert and error log file names are not changed. When new alerts or errors arrive for the renamed host entry, they go into new log files that have the new host name. Deleting a Host To delete a host entry, follow these steps: 1. On the Host Manager screen, select one or more entries in the host list. 2. Delete the entries by performing one of the following steps: • Select Edit > Delete Host. • Click Delete. • Right-click > menu > Delete Host.
1. On the Host Manager screen, bring up the Edit Host Tag List dialog box, as shown in Figure 6-7 by performing one of the following steps: • Select Edit > Host Tag List. • Press Crtl+T. Figure 6-7 Edit Host Tag List Dialog 2. Add, modify, or delete tags • To add a tag, follow these steps: 1. Click Add to display the Add Host Tag dialog box, as shown in Figure 6-8. Figure 6-8 Add Host Tag Dialog Box 2. Enter a tag name in the input field.
3. are case-sensitive. Duplicate tags are discarded when you exit. See Step 3. Click OK to accept the new tag or Cancel to discard it. You return to the Edit Host Tag List dialog box where you can perform more add, edit, and delete operations. Go on to Step 2 or exit and go on to Step 3. • To edit a tag, follow these steps: 1. Highlight the tag in the Tag List and click Edit or double-click the tag in the Tag list to display the Edit dialog box.
Maintaining Host Files You can save and use multiple host files. This is useful for managing different sets of hosts from the same administration system. The default host file is /etc/opt/ids/gui/config/sentinal.hosts, which is loaded automatically when the System Manager starts. Saving the Host List in the Current File To save the Host List in the current file, follow these steps: • On the Host Manager screen, perform one of the following steps: • Choose the File > Save menu item. • Press Ctrl+S.
1. On the Host Manager screen, bring up the Save dialog box, as shown in Figure 6-9 by performing one of the following steps: • Choose the File > Save As menu item. • Press Ctrl+A. Figure 6-9 Save Dialog Box 2. Either click a file name in the list or enter a new name in the file name field. NOTE: You can change directories, but HP recommends that you keep your host files in the default /etc/opt/ids/gui/config directory. 3. Click Save to save the file, or Cancel to exit without saving.
1. On the Host Manager screen, open the Open dialog box as shown in Figure 6-11, by performing one of the following steps: • Choose the File > Open menu item. • Press Ctrl+O.
2. 3. Select a file name in the list. Click Open to open the file, or Cancel to exit without changing host files. The hosts are displayed on the Host Manager screen. The monitored hosts are also displayed on the System Manager screen. Using Multiple Host Files To use multiple host files to monitor varying sets of agent hosts, consider the following: • • • 112 Since the sentinal.hosts file is always loaded when the System Manager starts, do not enable any of the hosts in it.
7 Using the Network Node Screen This chapter describes the Network Node screen, which displays alerts and errors for a specified agent host. It addresses the following topics: • “Network Node Screen” (page 113) • “Alerts Tab” (page 114) • “Errors Tab ” (page 116) • “General Operations” (page 117) Network Node Screen The Network Node screen contains lists of alerts and errors that have been detected by the related agent. Click the Alerts or Errors tab to view the lists and details.
• On the System Manager screen, perform one of the following steps: • Select a host in the Monitored Nodes list and choose the View > Network Node menu item. • Select a host in the Monitored Nodes list and press Ctrl+B. • Double-left-click an entry in the Monitored Nodes list. The Network Node screen is displayed with the selected host name in the title bar. See Figure 7-1 (page 115) and Figure 7-2 (page 117).
Figure 7-1 Network Node Alerts Tab Each alert entry displays the alert severity, the attacker, the attack type, the date and time the alert was generated, and other data. The columns displayed depend on selections on the Preferences screen, which lists and describes all the column names. For more information see “Alert Events Preferences” (page 129). Alerts are highlighted with color bars to emphasize the severity level of the potential attack (your colors may vary).
The operations you can perform on the Alerts tab are described in “General Operations” (page 117). HP-UX HIDS Alerts Your response to each alert depends on individual circumstances. Develop policies and procedures for handling intrusions. The templates used to generate alerts are described in Appendix A (page 135). For detailed information on the alerts, see Appendix A (page 135).
Figure 7-2 Network Node Error Tab Each error entry displays the date and time of the error, the error message, and other data. The columns displayed depend on selections on the Preferences screen, which lists and describes all the column names. For more information, see “Error Events Preferences” (page 131). When you select an error, it is highlighted in light blue and marked as Seen. The panel below the list of errors displays the formatted error message for the last selected error.
Sorting Entries By default, alerts and errors are listed in ascending date/time order. However, you can resort the list by any attribute in either ascending or descending order. Follow one of these steps: • • Click the appropriate column header to toggle between ascending and descending order. Select an item from the Sort menu. There is an ascending and descending entry for each defined column. These are effective whether the column is displayed or not.
• • Ctrl+left-click to remove a noncontiguous entry from the selection. This retains all other selected entries and sets the anchor entry. Shift+left-click to add or remove contiguous entries, depending on the state of the anchor entry. The anchor entry is unchanged. If the anchor entry is selected, all intervening entries are selected. If the anchor entry is not selected (for example, is deselected by Ctrl+left-click), all intervening entries are removed.
2. 3. Enter a search string in the data field. Click OK to begin the search, or Cancel to cancel the search. The search begins from the next entry. If the string is found, the entry is highlighted and other selections are cleared. If the string exists in one entry, you get an error message. Click OK to proceed. To search again, follow these steps: • On the Network Node screen, repeat the last Find by performing one of the following steps: • Choose the Search > Find Again menu item. • Press F3.
• • • • Unseen Choose the Actions > Mark All Alerts/Errors As Seen menu item. All entries on current tab are marked as seen. Select the Actions > Mark Selected Alerts/Errors As Seen menu item. Selected entries on current tab are marked as seen. Right-click and select the Mark All Alerts/Errors as Seen menu item. All entries on current tab are marked as seen. Right-click and select the Mark Selected Alerts/Errors as Seen menu item. Selected entries on current tab are marked as seen.
NOTE: The Network Node screen title bar indicates how you obtained the data on the screen. If it consists of Network Node - hostname, where hostname is the name of the monitored host, the data is got from the master log file for that host and you selected the Network Node screen from the System Manager screen. If it consists of Network Node - pathname, where pathname is the full path name of a file, the data is acquired from a log file set that you selected with the File >Open menu item.
1. On the Network Node screen, open the Save dialog box as shown in Figure 7-4 by performing one of the following steps: • Select the File > Save As menu item. • Press Ctrl+A. Figure 7-4 Save Dialog Box 2. Either select one of the existing file names (it does not matter whether you choose the alert or error file) by clicking its name, or enter a log file set name in the File Name field. A log file set name is a file name without the trailing _alert.log or _error.log. For example: 1.
Example: Saving the File Set over Another File Set To save the file set you just opened over the file set named yetanother, follow these steps: 1. 2. In the Save dialog box, click on the alert or error file for the set, for example, yetanother_error.log. Click Save or press Alt-S to save the alert and error log files. The files yetanother_alert.log and yetanother_error.logare overwritten.
changed while the HP-UX HIDS agent software is running, the agent software recreates the files and continue to log in the newly created files. For more information, see “Log File Rotation” (page 240).
8 Using the Preferences Screen This chapter describes operational and display settings that you can set on the Preferences screen. This chapter addresses the following topics: • “General Preferences” (page 127) • “Browser Preferences” (page 129) □ “Alert Events Preferences” (page 129) □ “Error Events Preferences” (page 131) □ “System Manager Preferences” (page 132) The Preferences screen enables you to specify several system operational preferences.
Figure 8-1 General Preferences Tab Table 8-1 General Preferences Tab Option Default Description Automatic Startup Status Poll On When this option is selected (checked), the System Manager automatically polls all the entries in the monitored list for current status whenever the System Manager is restarted. This is equivalent to selecting Actions >Status Poll from the System Manager screen. You can disable this feature if HP-UX HIDS agents are currently not installed or operational on agent hosts.
Table 8-1 General Preferences Tab (continued) Option Default Description Beep on New Alerts On If this option is selected (checked), the System Manager beeps whenever a new alert is received. Agent Response Timeout (Seconds) 30 seconds Set this value to adjust for typical timeout delays in your network environment.
Figure 8-2 Alert Events Subtab In Table 8-2, the column names marked with asterisks (*) correspond to fields in the alert message. Table 8-2 Alert Events Subtab 130 Column Name Default Description Seen Yes The entry has been seen. Severity * Yes 1: critical; 2: severe; 3: alert. Attacker * Yes User name or IP address of the attacker. Attack Type * Yes Name of the alert. Date/Time Yes Local date and time. Target Host No Name of host where alert was generated.
Table 8-2 Alert Events Subtab (continued) Column Name Default Description Code * No Code number of the detection template. Version * No Version of the detection template. UTC Time * No Time of the alert in Coordinated Universal Time. Details * No Details of the alert. Error Events Preferences On the Preferences screen, click the Browser Preferences tab and the Error Events subtab to set the display of error events.
Table 8-3 Error Events Subtab Column Name Default Description Seen Yes The entry has been seen. Date/Time Yes Local date and time. Code No Error code number. Error Message Yes Details about the error. System Manager Preferences On the Preferences screen, click the Browser Preferences tab and the System Manager subtab to set the display of the System Manager. The System Manager subtab lists the columns that can be displayed on the System Manager screen. Check the boxes to display the columns.
Table 8-4 System Manager Subtab Column Name Default Description Status Yes Status of agent host. Host Yes Name of host being monitored. Schedule Yes Name of activated surveillance schedule; None if none. Tag Yes The tag, if any, associated with the host. Total Alerts Yes Total number of alerts in System Manager log file for host. Unseen Alerts Yes Total number of unseen alerts in System Manager log file for host.
A Templates and Alerts This appendix describes the detection templates that constitute the surveillance groups. It also describes the alerts that are passed to the System Manager and to the response programs by the HIDS agent.
Table A-1 Detection Templates (continued) Alert Attack Alert Severity Detection Template Potential race condition A privileged setuid script attack was executed, but not necessarily using a symbolic link. 2 Race Condition Template File system modification or potential modification A read-only file was truncated, deleted, or renamed.
Table A-1 Detection Templates (continued) Alert Attack Alert Severity Detection Template World-writable file created A file with world-writable 3 permission was created by a privileged user, the world-writable bit was set on an existing file owned by a privileged user, the owner of a world-writable file was changed to a privileged user from a non- privileged user, or a world-writable file owned by a privileged user was renamed from a location that is not being monitored to a location that is being moni
Table A-1 Detection Templates (continued) Alert Attack Alert Severity Detection Template Failed su attempts Repeated attempts to switch to a user specified as privileged 2 Repeated Failed su Commands Template Failed su attempts Repeated attempts to switch to a user not specified as privileged 3 Repeated Failed su Commands Template a. Higher severity if specified by an ip_filter property. For more information about the ip_filter property, see “Login/Logout Template” (page 179).
• • • The regular expression /\.rhosts$ matches any .rhosts file on the system, such as /.rhosts and/home//.rhosts. Using the backslash character escapes the special dot (.) character. The regular expression ^/\.rhosts$ exactly matches the .rhosts file in the root directory. The regular expression ^/home/[^/]*/\.rhosts$ matches all the /.rhosts files in the home directories. NOTE: The special pattern-matching scheme in previous versions of HIDS is no longer supported.
• • Alerts that specify an unknown program occur when the following three conditions are met: — The program is started before the HIDS surveillance schedule is started. — The process terminates immediately after it performs an action that causes an alert. — HIDS generates the alert after the process terminates. Alerts that specify an unknown program occur when the following two conditions are met: — The IDDS_MODE_NONBLOCK flag is set in IDDS_MODE in the ids.
NOTE: When specifying the template property value in the Schedule Manager window, enter only the template property value ^/var/log/cron$ ^/etc/passwd$. Do not enter the property name and the first pipe character. When specifying values for this property, be aware of path names that contain symbolic links. For example, to monitor the csh executable, specify the complete path name /usr/bin/csh, assuming that /bin is a symbolic link to /usr/bin. HIDS attempts to match using fully resolved path names.
NOTE: The pathnames_0/programs_0 pair is a special case in which alerts for files specified in pathnames_0 are not generated when the corresponding programs in programs_0 or in any of the program’s child processes or grandchild processes trigger the alert.
IMPORTANT: Specifying a program’s relative path name to ignore alerts is unsafe, whether the path name refers to a script or an executable program. An attacker can construct an attack script or program with the same relative path name, and alerts for that program are filtered if the relative path name is specified as the value in a path names / program pair.
users_to_ignore | root | bin | daemon Type IV: User Name/UID Pairs Type IV property values include pairs of user names or user IDs. This property type is currently used only in the Modification of Another User’s File Template. The two members of each pair are separated by a comma. When an event is received for a file that is being monitored, the following criteria are applied for every pair in the list: • The effective user ID of the process modifying the file corresponds to the first member of the pair.
0 no alerts are generated for hosts in the specified network Type VI: Time Strings The time strings property represents time intervals. Each time string has the following syntax: integer[units] The integer component is a positive integer representing a time interval. The units component, when present, indicates the time units the integer is expressed in.
information on regular expressions, see “UNIX Regular Expressions ” (page 138). The integer is interpreted to be of type Type VI: Time Strings. Currently, only the global alert aggregation tuples property is of this type. For more information, see “Surveillance Schedule Text File” (page 248).
NOTE: In HP-UX 11i v1 and later, comprehensive stack buffer overflow protection, which uses a combination of highly efficient software and existing memory management hardware, protects against both known and unknown buffer overflow attacks without sacrificing system performance. This protection is managed with the executable_stack tunable kernel parameter. You can allow selected programs to execute from the stack by marking them with the -es option of the chatr command.
Alerts generated by this template The following alerts are generated by the Buffer Overflow template: • “Execute on Stack” (page 148) • “Unusual Argument Length” (page 149) • “Argument with Nonprintable Character” (page 150) Execute on Stack Table A-3 lists the alerts that this template generates and forwards to a response program when an execute-on-stack condition is detected by the HP-UX 11i kernel.
NOTE: See Table B-1 (page 194) in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. Unusual Argument Length Table A-4 lists the alert properties that the Buffer Overflow template generates, and forwards to a response program setuid when a privileged setuid program is invoked with an argument equal to or greater than the unusual_arg_len property value.
Table A-4 Unusual Argument Length Alert Properties (continued) Response Program Alert Field Argument Alert Field Type Alert Value/Format Description argv[8] Details String Potential buffer overflow Detailed alert description attack by process with pid and ppid when executing (type=, inode=, device= , which surpasses the longest expected argument length of .
Table A-5 Argument with Nonprintable Character Alert Properties (continued) Response Program Argument Alert Field Alert Field Alert Value/Format Type Description argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that executed a privileged setuid program with an argument that contains a nonprintable character argv[6] Target of attack String file=, type=, mode=, uid=, gid=
Race Condition Template The vulnerability addressed by this template Some attacks use the time between a program’s check of a file and the time that the program uses that file. The race condition is sometimes referred to as the Time-To-Check-To-Time-To-Use (TOCTTOU) vulnerability. For instance, a mail delivery program checks to see if a file exists before it changes ownership of the file to the intended recipient.
Table A-6 Race Condition Template Properties (continued) Property Type Default Value programs_1 II ^/usr/bin/passwd$ & ^/usr/sbin/useradd$ & ^/usr/sbin/userdel$ & ^/usr/sbin/usermod$ pathnames_X II programs_X II Properties The properties of the Race Condition template are described as follows: A list of system-level user IDs or user names. priv_user_list This list contains those users who have elevated access to the system.
File Reference Modification Table A-7 lists the alert properties that the File Reference Modification template generates and forwards to a response program when the file reference in a privileged program is modified unexpectedly. Table A-7 File Reference Modification Alert Properties 154 Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[1] Template code Integer 1 Unique code assigned to template. argv[2] Version Integer 3 Version of the template.
Table A-7 File Reference Modification Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String File reference for file Detailed alert description (type=, inode=, device= and ppid when executing >(type= , inode=, device=).
Table A-8 setuid Script Executed Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that executed a privileged setuid script argv[6] Target of Attack String file=, The full path name of the privileged setuid script and the script’s type mode,uid,gid,inode, and device number ty
NOTE: See Table B-1 (page 194) and Table B-3 (page 197) in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. Limitations The Race Condition template can be CPU intensive because it monitors all file references on the system.
Table A-9 File/Directories Template Properties Name Type Default Value pathnames_to_watch I ^/ .rhosts$ | ^/\.shosts$ | ^/\.profile$ | ^/bin/ | ^/sbin/ | ^/usr/bin/ | ^/usr/sbin/ | ^/usr/local/bin/ | ^/lib/ |^/usr/lib/ | ^/usr/local/lib/ | ^/stand/build/dlkm\.vmunix_test/ | ^/stand/vmunix$ | ^/stand/kernrel$ | ^/stand/bootconf$ | ^/stand/system$ | ^/dev/dsk/ | ^/dev/rdsk/ | ^/dev/rmt/ | ^/dev/rsdsi/ | ^/dev/vg[0-9]*/ | ^/dev/idds$ | ^/usr/dt/config/Xconfig$ | ^/tcb/files/devassign$ | ^/etc/rc\.config\.
pathnames_to_not_watch pathnames_X, programs_X Path names of files that can be safely ignored for modification, regardless of which program modifies them. Use these properties to filter out alerts generated when a particular program modifies a particular file. See “Type II: Path Names/Programs Pairs” (page 141) for a detailed description of these property pairs.
File Being Modified Table A-10 lists the alert properties this template generates and forwards to a response program when a file is modified.
Table A-10 File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid description (type=, inode=, device=) when executing (type=, inode=, device=), invoked as follows: ...
Table A-10 File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description • • • • created the file created the character special file created the directory created the block special file created the pipe (fifo) file • deleted the file • deleted the directory • performed system call on the file argv[9] Event String Following are the possible values: • File ownership modified • File permission modified • File opened for
creates a new file or truncates an existing file, both of which are conditions for alerts. Changes to Log File Template The vulnerability addressed by this template Certain HP-UX system files are used to store logs of system activities, such as login attempts, commands executed, and miscellaneous system log messages. The files that store this system information should only be appended to, not overwritten. Attacks often either modify or delete these files to remove information about their intrusion.
pathnames_to_not_watch pathnames_X, programs_X Path names of files that can be safely ignored for modification, regardless of which program modifies them. Use these properties to filter out alerts generated when a particular program modifies a particular file other than appending. See “Type II: Path Names/Programs Pairs” (page 141) for a detailed description of these property pairs.
Table A-12 Append-Only File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid Detailed alert description (type=, inode=, device) when executing (type=,inode= ,device=), invoked as follows: ...
NOTE: See Table B-1 (page 194) for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without having to parse the string alert fields above. Limitations The Changes to Log File template has the following limitation: • The template cannot distinguish whether a file is created or truncated when creat(2) is invoked.
Table A-13 Setuid File Template Properties Name Type Default Value priv_user_list III 0 | 1| 2 | 3 | 4 | 5 | 9 | 11 priv_group_list III 0 | 1 | 2 | 3 | 4 | 5 | 6 | 10 | 11 pathnames_X II programs_X II Properties The configurable properties are listed as follows: priv_user_list A list of system-level user IDs or user names. This list contains those users who have elevated access to the system.
Table A-14 Setuid File Created / Modified Alert Properties Response Program Argument Alert Field argv[1] Alert Field Type Alert Value/Format Description Template code Integer 4 Unique code assigned to template argv[2] Version Integer 3 Template Version argv[3] Severity Integer 1 Alert Severity argv[4] UTC time Integer UTC time in number of seconds since the epoch when a privileged setuid file was created or modified argv[5] Attacker String uid=, gid=, pid=, p
Table A-14 Setuid File Created / Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid Detailed alert description the file >(type=, inode=, device (type=, inode=, device=), invoked as follows: ...
NOTE: See Table B-1 (page 194) for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. Limitations The setuid/setgid file template has the following limitations: • The template cannot always distinguish whether a setuid (or setgid) file is created and whether an existing setuid (or setgid) file is opened for modification with the create flag.
Table A-15 World-Writable File Template Properties Property Type Default Value priv_user_list III 0 | 1 | 2 | 3 | 4 | 5 | 9 | 11 pathnames_to_not_watch I ^/dev/null$ | ^/dev/console$ | ^/dev/tty | ^/dev/pty | ^/dev/pts pathnames_0 II ^/etc/opt/resmon/ programs_0 II ^/usr/sbin/stm/uut/bin/tools/monitor/ & ^/etc/opt/resmon/lbin/ pathnames_1 II ^/dev/ptmx$ | ^/var/opt/dce/rpc/local/ | ^/var/run/egd-pool$ | ^/dev/console$ | ^/var/sam/log/samagent\.
pathnames_X, programs_X Filter out alerts generated when a specified program creates a specified world-writable file. See “Type II: Path Names/Programs Pairs” (page 141) for a detailed description of these property pairs. Alerts generated by this template World-Writable File Created Table A-16 lists the configurable properties that this template supports.
Table A-16 World-Writable File Created Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid Detailed alert description the file > (type=, inode=, device> (type=, inode=, device=), invoked as follows: ...
Table A-16 World-Writable File Created Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description • created the world-writable pipe (fifo) file • renamed the world-writable file • changed the owner of the world-writable file • enabled the world-writable permission on file • performed system call on the file argv[9] Event String Following are the possible The event that triggered values: the alert.
Modification of Another User’s File Template The vulnerability addressed by this template In many environments, users are expected to work with their own files. An attacker attempting to compromise the security of a system can cause a system program to modify various files owned by other system users. Because many daemons run as a specific user, the Modification of Another User’s File template can generate an alert when a compromised daemon causes this type of attack.
Table A-17 Modification of Another User’s File Template Properties (continued) Property Type Default Value pathnames_X II programs_X II Properties Configure the following properties based on the individual machine configuration and usage. Path names of files that can be safely ignored if pathnames_to_not_watch they are modified by non-owners.
Table A-18 Non-Owned File Being Modified Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[1] Template code Integer 6 Unique code assigned to template argv[2] Version Integer 3 Template version argv[3] Severity Integer 2 if the file is truncated, Alert severity potentially truncated, deleted, or renamed3 if the file’s mode or ownership is modified, or the file is opened for writing or appending argv[4] UTC time Integer U
Table A-18 Non-Owned File Being Modified Alert Properties (continued) 178 Response Program Argument Alert Field Alert Field Type Alert Value/Format argv[8] Details String User with uid (type=, inode=, device (type=, inode=, device=), invoked as follows: ...
NOTE: See Table B-1 (page 194) in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. Limitations The Modification of Another User’s File template has no limitations. Login/Logout Template The vulnerability addressed by this template Certain privileged user accounts (such as adm, bin, sys) are intended to be used by system programs only for maintenance purposes.
Table A-19 Login/Logout Template Properties Property Type Default Value users_to_ignore III users_to_monitor III monitor_su_flag VII 1 monitor_login_flag VII 1 monitor_logout_flag VII 1 ip_filters V priv_user_list III root | ids NOTE: The users_to_monitor property takes precedence over users_to_ignore when both lists are set. If users_to_monitor is not empty, values in users_to_ignore are ignored.
priv_user_list with a matching remote IP address is filtered except for root and ids users. If a login event’s remote host IP address does not match any triplet, then a severe alert (severity=2) is generated for root and ids users and a moderate alert (severity=3) is generated for all other users. The value of the mask must be set to 255.255.255.255 if the ip_address is a host address; otherwise, the mask must be set to the network mask to qualify the value in ip_address as a network address.
Table A-20 Login/Logout Alert Properties (continued) 182 Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[5] Attacker String Name or IP address of the host from which the user attempted to log in. argv[6] Target String Login name that the user attempted to log in as.
Table A-20 Login/Logout Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[13] Hostname String Name of remote host from which login was initiated argv[14] IP Address String for IPv4 addresses
Table A-21 Successful su Detected Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[6] Target String The target user of the su command argv[7] Summary String Successful su session Alert summary argv[8] Details String User switched to user on tty Detailed alert description argv[9] Event String Switch-user (su) The event that triggered the alert.
• • • The template generates alerts for ftp logins without the remote host IP address on 11i V1 unless the wu-ftp 2.6.1 patch is installed. The host address filtering provided by this template is vulnerable to IP spoofing. On IPv6 configured machines, alerts do not display the IP address Repeated Failed Logins Template The vulnerability addressed by this template An attacker can gain access to a system by repeatedly attempting to guess the password of an account.
to be generated, and duplicate alerts that occur within 30 seconds are not reported. It is not an uncommon occurrence for a user to mistype a password when attempting to log in. By modifying the values, you can customize this template to local user behavior. priv_user_list A high severity alert is generated when a user with a user ID or user name in this list fails to login.
Table A-23 Failed Login Attempts Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[9] Event String Failed login The event that triggered the alert.
and logouts to wtmp(s) or btmp(s), you must set the permissions of the wtmp(s) or btmp(s) file to 600. — On HP–UX 11i v1, failed ftp logins are only detected when WU-FTPD 2.6.1 (available on http://software.hp.com) is installed. Previous versions of ftp on HP–UX 11iv1 do not log failed attempts to btmp. Repeated Failed su Commands Template The vulnerability addressed by this template The system su(1) command allows one user to assume the identity of another user by entering that user’s password.
Table A-25 Repeated Failed Su Attempts Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[1] Template code Integer 9 Unique code assigned to template argv[2] Version Integer 3 Template version argv[3] Severity Integer 2 for users listed in the Alert severity priv_user_list property. 3 for all other users.
B Automated Response for Alerts This appendix describes how to use response programs to process alerts automatically according to your installation policy. It includes a sample C program, several sample response scripts, and information about a prepackaged response program that communicates with HP OpenView VantagePoint Operations.
Response Methods Responses to intrusions use one of the following methods. • Forwarding Information Information about the alert can be forwarded by sending an email or calling a pager. Filtering is required to prevent repeated alerts from causing a storm of pages. For examples, see “Forwarding Information” (page 209). • Halting Further Attacks Automated response can halt further attacks by changing an attribute of the system.
4. 5. For each executable file, the agent sets certain environment variables and passes the alert details as command-line parameters. The agent executes the files one at a time in ASCII sorted order, but does not wait for them to terminate. NOTE: When alert aggregation is enabled, only aggregated alerts and alerts that are not or cannot be aggregated follow the alert process above. For more information about alert aggregation, see “Configuring Alert Aggregation” (page 88).
5. the absolute minimum necessary. For more information, see “Writing Privileged Response Programs” (page 202). When a response program is started, the agent process provides it with a set of environment variables listed in Table B-7, and passes the alert information as program arguments listed in Table B-1. Tables B-1 to B-6 for the alert information passed as arguments 0 through 9 for each template.
Table B-1 Additional Arguments Passed to Response Programs for Kernel Template Alerts (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[22] Target File Inode Integer Inode number of the file under attack argv[23] Target File Device Integer Device number of the file under attack argv[24] Pathname of attack program String Full pathname of the attack program argv[25] Attack Integer Program Type F
Table B-1 Additional Arguments Passed to Response Programs for Kernel Template Alerts (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[34] Attacker hostname String Full host name of remote host from which the attacker has logged in. Set to localhost name or to an empty string if the local host is not known. argv[35] Attacker IP address String (Ipv4) IP address (in Ipv4 or IPv6 string or <::ffff:A.B.C.
Table B-3 Additional Arguments Passed to Response Programs for Race Condition Template Alerts Response Program Argument Alert Field argv[36] Alert Data Type Alert Value/Format Description Attacked String Program Path name Full path name of the program under attack argv[37] Attacked Program File Type Integer File type of the program under attack. Corresponds to an enum vtype value defined invnode.
Table B-4 Additional Arguments Passed to Response Programs for Login or Logout Alerts Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv [10] Number indicating the type of alert Integer The number 1 indicates that it is a login or logout alert. argv [11] User name String Name of the user who logged in or logged out. argv [12] Device number Integer Device number of device associated with login session.
Table B-5 Additional Arguments Passed to Response Programs for su Alerts Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv [10] Type of Alert Integer The number 2 indicates an su alert argv [11] pseudo-terminal String The pty from which a su attempt was made. argv [12] User name (attacker) String The name of the user attempting to su. argv [13] User name (target) String The name of the user to switch to.
Table B-6 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts (continued) Response Program Argument 200 Alert Field Alert Field Type Alert Value/Format Description argv [16] Attacker effective Integer Group ID Effective Group OD (egid) of the attacker. argv [17] Attack program pathname String Full pathname of the attack program. If it is a multi-process alert, then the full pathname of the ancestor program.
Table B-6 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format argv [27] Full hostname of remote host String Full hostname of the remote host from which attacker logged in. Set to localhost if the local host or the empty string is not known. argv [28] IP address of the remote host String The IP address of the remote host from which the attacker logged in.
It is far easier to write an insecure script in Perl as compared to a shell (POSIX, Korn, C). This is similar to the problems with the str* functions. The functions themselves have no security issues when properly used; however, their usage is almost always insecure, and it is better to avoid them altogether. Perl, similarly, makes it very easy to write bad scripts when compared to programming with a shell.
as the effective uid at all other times. This method is called privilege bracketing. For instructions on toggling the effective uid, see setresuid(2). • Solution C Write a single, privileged setuid C executable program that forks and executes an unprivileged shell script that both processes the alert string and performs privileged operations. For more information, see “Solution C” (page 206). The privileged C program must hard code the full pathname of the unprivileged script.
# Sets the umask to a “sane” value umask 077 # If there is a file modification alert if [ $1 = “2” ] then # and if the target of the attack is the password file if [ ${17} = “/etc/passwd” ]; then # obtain the process ID from the alert pid=${11} echo “Critical intrusion: halting process ${pid} running ${24} that modified /etc/passwd” | /usr/bin/mailx -s “$7” $ {RECIPIENT} # Invoke setuid-root program to kill process instead # of using a setuid-root script that is susceptible to # race condition attacks.
Code for privB program #include #include #include
} fprintf(stderr,”Killed offending process %d n”,pid); /* Turn off root privilege */ if( setresuid(-1, getuid(), geteuid()) == -1) { perror(“setresuid”); exit(1); } } } exit(0); } Solution C A setuid-root program with mode 4550, owned by root:ids /opt/ids/response/misc A directory with mode 500, owned by ids:ids /opt/ids/response/misc/scriptC.
# If there is a file modification alert if [ $1 = “2” ] then # And if the target of the attack is the password file if [ ${17} = “/etc/passwd” ]; then # Obtain the process ID from the alert pid=${11} echo “Critical intrusion: halting process ${pid} running ${24} that modified /etc/passwd” /usr/bin/mailx -s “$7” ${RECIPIENT} kill -KILL ${pid} fi fi # Exit with no error exit 0 Sample Response Programs The following sections contain examples of C and shell script response programs.
Example B-1 Response Program #include #include int main(int argc, char **argv) { #if 0 /* insert your response code here */ int i; for(i=0; i < argc; i++) { fprintf(stderr, "argv[%d] = %s n", i, argv[i]); } #endif exit(0); } Sample Shell Script Alert Responses IMPORTANT: Some of these sample shell scripts require root privileges. It must not be run as setuid root. These scripts are for illustrative purposes only.
Forwarding Information The response script program can either send the alerts to the user through an email or store the alerts in a log file. Sending an Email HP-UX HIDS logs alerts to a file on the local system and sends the alert information to the HP-UX HIDS System Manager.
Example B-3 Storing Alerts in Log Files #!/usr/bin/sh # # Sample HP-UX HIDS alert response script # # Send a message to syslog containing the alert # If there is a severity 1 alert then log the alert to syslog if [ $3 = “1” ] then /usr/bin/logger -t “HP-UX HIDS” “$8” fi NOTE: Administrators can also use the following HP-supported options: • Consolidate alerts to a central log using syslog-ng with clog_tail • Generate alert reports using the idsadmin --report feature.
Halting Further Attacks The response script program can stop subsequent attacks on a system either by disabling a user’s account or by disabling the remote network connection. Disabling a user's account If a particular user account is generating many alerts, it may be necessary to disable further logins on that account. The following script shows how to achieve that.
IMPORTANT: This script requires privilege and must not be installed as a setuid privileged script. This script is for illustration purposes only. For instructions on safely writing a privileged response program, see “Writing Privileged Response Programs” (page 202).
Disable Remote Networking If you have determined that an intrusion is originating from a remote location, the following script disables networking on the system. IMPORTANT: This script requires privileges and must not be installed as a setuid privileged script. This script is for illustration purposes only. For instructions on safely writing a privileged response program, see “Writing Privileged Response Programs” (page 202).
Preserving Evidence Consult your local legal counsel to determine what steps must be taken to preserve evidence for use in court. The example scripts presented below do not meet the legal requirements for preservation of evidence. Putting a Process to Sleep You can preserve evidence of an intrusion for later analysis. In this example, a process that caused an alert is stopped. Any activity by the process is halted, and the process memory image can be analyzed at a later time.
Snapshot of Critical System State Extending the previous example, this script takes a snapshot of critical system state information that can be used for later analysis.
System Restoration to a Stable state Intruders often replace key system configuration files during an attack. This sample script shows how to replace those files with clean versions that are mounted on a CD-ROM drive. Assume that the CDROM is mounted on /cdrom. IMPORTANT: This script requires privilege and must not be installed as a setuid privileged script. This script is for illustration purposes only.
The OVO HPUX_HIDS-SPI components include the following: • Templates designed to monitor important log files, vital processes, and real time alerts generated by HP-UX HIDS. • Templates that enable monitoring of the application’s overall availability. • Applications that enable you to query the status of HP-UX HIDS, and start and stop the HP-UX HIDS System Manager. OVO HPUX_HIDS-SPI can be used with both the OVO X-Motif-based Operator GUI and the OVO Java-based Operator GUI.
C Tuning Schedules and Generating Alert Reports This appendix describes how to tune schedules and generate alert reports using the idsadmin command. This appendix addresses the following topics: • “Tuning Schedules Using the idsadmin Command.” • “Generating Alert Reports Using the idsadmin Command.” Tuning Schedules Using the idsadmin Command The tune command enables you to tune schedules and reduce the number of false positives (alerts that are generated because of normal system activity).
4. 5. 6. 7. Once enough alerts are generated, enter the tune command. The tune command provides suggested filters to filter out these alerts generated because of normal system activity. The tune command then automatically updates and deploys the schedule. Administrators can also choose to view and modify the tune command report and the schedule before deployment.
Figure C-1 Flowchart Depicting the Tuning Process Step 1: Analyzing Alerts and Tuning Schedules Invoke the tune command from the idsadmin command line, or its interactive command interface to start analyzing alerts and tuning schedules.
The syntax for the tune command when invoked from the idsadmin command line is as follows: idsadmin [-v[vvv]] -t [OPTIONS] The tune command can also be invoked from the interactive command-line interface as follows: idsadmin> tune [-v[vvv]] -t [OPTIONS] Table C-1 describes the various tuning options that you can use with the tune command. Table C-1 The tune Command Options Option Description -a, --agent-hosts
NOTE: If you have specified the --tune-no-review option with the tune command, this report is not displayed. The tune command automatically modifies and deploys the schedule without prompting for reviews. The Tune Command Report contains the following additional sections: • “Section Related to File Related Alerts.” • “Section Related to Aggregated Alerts.” • “Section Related to System Alerts.
Where: • is the top-level program that caused the alert in a multi-process alert. • is the number of alerts aggregated in the meta alert. • is the user who generated the alert. • is the highest severity among all the alerts in the meta alert. • is the time when the first alert in the meta alert was generated. • is the number of occurrences of the same meta alert.
Example C-1 To tune schedules for two agents without any user interaction % idsadmin –t –a abc.hp.com, xyz.hp.com --tune-no-review This command (invoked from a shell command line) analyzes alerts for the two agents (abc.hp.com, and xyz.hp.com) generated since the timestamp of the last alert to be tuned. The tune command analyzes the alerts, and automatically updates and deploys the updated schedule on these agents. No user interaction is required.
NOTE: Alert filters are generated only for file related alerts. The following fields in the entries in the file related alerts section of the Tune Command Report can be modified: • • • The following examples show sections of a Tune Command Report, where the Tune command has suggested a filter for the alert.
Example C-4 Suggested Exact Filters ATTACK PROGRAM| /opt/OV/bin/OpC/opcmon --> (X) | /var/opt/OV/tmp/OpC/monagtp | Filesystem modification or potential modification | 0 | 3 | Wed Oct 11 13:12:46 2006 | 12 | ^/var/opt/OV/tmp/OpC/monagtp$ | ^/opt/OV/bin/OpC/opcmon$ | | 2 In this entry, the tune command displays the filtering rule for alerts that are generated when the opcmon program modifies the /var/opt/OV/tmp/monagtp.
• • • • • • • • • Generate reports for one or more agents View alert statistics by agent, severity, alert type, and detection template Generate a consolidated report across multiple agents Generate incremental reports (i.e.
Table C-2 Reporting Options Supported by idsadmin (continued) Option Description --alert-fields Comma-separated list of alert fields to print in a report, where: • hostname — The hostname of the agent that generated the alert. • ipaddr — The host IP address of the agent that generated the alert. • template — The template that generated the alert. • localdate — The local date and time of the event that triggered the alert. • utcdate — The UTC date and time of the event that triggered the alert.
Table C-2 Reporting Options Supported by idsadmin (continued) 230 Option Description --email-subject TEXT Used with the --email-to reporting options. Subject line of an email message containing a report. Text must be enclosed in double quotes if it contains white spaces. This option can be specified only from the command line and not from the interactive menu prompt. --end-date YYYYMMDD[HHMMSS] Specifies that only alerts generated on or before the specified date are reported.
Table C-2 Reporting Options Supported by idsadmin (continued) Option Description --sort-by date | severity | type The sorted order in which alerts are listed in an alert report. The default is date. --start-date YYYYMMDD[HHMMSS] Specifies that only alerts generated on or after the specified date are reported. The date/time is interpreted as local time on the host on which idsadmin is run, not as the local time on agent host(s).
Example C-6 To generate a report for all the managed agents starting from a particular date /opt/ids/bin/idsadmin –r --start-date 20070101 This command generates a report for all the managed alerts starting from January 01 2007. This report is saved as an HTML file in /var/opt/ids/reports/HIDS_Report.html. Figure C-2 shows a screenshot of the report in HTML format. Figure C-2 Screenshot of the Generated Report in .html Format NOTE: 232 While generating alert reports in .
• • • To display an HTML report as shown in the above screenshot, you must ensure that the directory that contains the .html report also contains the hids.css and the hp_logo.gif files. If your directory does not contain these files, you can copy them from the /var/opt/ids/reports directory. The layout and format of the .html reports can be customized by modifying the Cascading Style Sheet (CSS) file. The HTML formatted reports display correctly on mozilla-based web browsers.
Example C-7 To generate a report for an agent showing only the date and time (local), severity, attacker, target, and to email the report in text format to a specified email address /opt/ids/bin/idsadmin –r –a ariel --alert-fields localdate, severity,attacker,target --report-format text -–email-to admin@xyz.
Example C-9 To generate a report listing only the critical alerts for all agents listed in the sentinal.hosts file starting from January 01 2007, and to display the report in raw format using commas to delimit alert fields /opt/ids/bin/idsadmin –r –a abc.hp.com,xyz.hp.com --alert-severities critical --report-format raw --report-delimiter , --start-date 20070101 Example C-10 5. To generate a report for all agents listing only alerts related to failed logins, logouts, and failed su attempts.
Example C-11 To generate a report for all agents listed in the sentinal.hosts file starting from January 01 2007, displaying only the specified fields. The report is in raw format and emailed to the specified email address. /opt/ids/bin/idsadmin -r -a all --start-date 20070101 --report-format raw --email-to admin@xyz.
NOTE: If some of the alert fields contain the pipe (|) character (the default delimiter character) use the --report-delimiter option to specify a different delimiter character. Using pipe (|) as a delimiter when alert fields contain the pipe (|) symbol will disrupt the parsing of alerts.
D The Agent Configuration File This appendix describes the user-configurable options that can be modified in the HP-UX HIDS agent configuration file, which is located in /etc/opt/ids/ids.cf.
$ su - ids 2. Send the hangup signal to the agent process ID: $ kill -HUP $(cat /var/opt/ids/idsagent.pid) The idsagent process rereads the configuration file and reactivates the current surveillance schedule, if any. Log File Rotation Both the IDS_ERRORFILE file and the IDS_ALERTFILE file, described in “Global Configuration” (page 240), are designed to support log rotation.
IDS_LISTEN_IFACE The IP address or host name associated with the agent system’s network interface card. On a system with only one IP address, this parameter does not need to be specified. On a multihomed system (a system with more than one network interface card) this parameter is required. See “Configuring a Multihomed Agent System” (page 42) for configuration information.
CMDLINEARGS Used to pass command line options to the idscor process. To measure the average system call event rate on a host for the system calls monitored by HIDS, while running a particular set of detection templates, set the value to -t where is the number of events over which the rate is calculated. For example, -t 100000 calculates the event rate for every 100,000 events. For more information, see the “HP-UX HIDS Sizing and Tuning Primer”.
The first entry, for the system log DSP which monitors various system log files, has no modifiable parameters. The second entry is for the kernel audit data DSP. CAUTION: Do not edit any variables in the system log DSP section (between [DSP] NAME idskernDSP and its [END] tag). Kernel Audit Data DSP In the section beginning with [DSP] NAME idskernDSP only the parameters in Table D-3 may be edited. CAUTION: Do not edit any other variables between [DSP] NAME idskernDSP and its [END] tag.
0x2 IDDS_MODE_NONBLOCK 0x4 IDDS_MODE_STATUS_ON LOW_WATERMARK 244 The Agent Configuration File Do not block the reader of /dev/idds when no audit data is available. Gather statistics on the audit system. Example settings are: Turn off status gathering and block IDDS_MODE 0 processes if audit data is generated faster than the agent can consume it. This option sacrifices system performance for totally reliable information gathering.
records are no longer being dropped. The default is 80 (percent). Remote Communication Configuration The remote communication configuration section lies between the [RemoteSA] and [END] tags. Only the parameters in Table D-4 may be edited. CAUTION: Do not edit any other variables between [RemoteSA] and its [END] tag.
notation. If the INTERFACE variable is set in idsgui, REMOTEHOST should have the same value.
E The Surveillance Schedule Text File This appendix describes the surveillance schedule in text format to enable administrators to edit surveillance schedules using their preferred editor, instead of using the GUI Schedule Manager, for those administrators who want to automate the activation of surveillance schedules (using scripts) instead of using the GUI System Manager.
command’s --activate and -a options. Use the --activate option to specify the name of the surveillance schedule and -a option to specify the name or IP address of the agent host(s). For example, the following idsadmin command activates a schedule specified in a file named MySchedule.txt on an agent host with IP address 10.0.0.2: # /opt/ids/bin/idsadmin --activate MySchedule -a 10.0.0.2 For more information about the idsadmin command, see idsadmin( 1m).
subsections. The global properties subsection is bracketed by the GLOBALS and ENDGLOBALS keywords. The following global properties are defined within the GLOBALS and ENDGLOBALS keywords : • aggregation: The aggregation property is an alert aggregation flag that is used to either enable or disable alert aggregation.
• • After the specified time, HIDS generates a report summary. However, if the number of duplicate alerts exceed the number specified in the suppression_count property (see below), a summary of duplicate alerts can be generated earlier than the time specified in suppression_interval. This property is equivalent to the Suppression Interval field in the GUI Schedule Manager. The default value of this property is 6h.
This section is a subsection of the surveillance schedule section. The section is bracketed by the GROUPPERIOD and ENDGROUPPERIOD keywords. Each GROUPPERIOD section can have only one GROUP or ENDGROUP section. The templates and their property values are stored in the corresponding group file and not in the schedule file. Each group exists as individual files within the groups subdirectory and can be used across multiple schedules.
Example E-1 Example of a Sample Surveillance Schedule Text File Following example illustrates the usage of the different keywords in a sample surveillance schedule text file: SCHEDULE FileAndLoginMonitoringAlwaysOn GLOBALS aggregation | 1 rt_alerts | 0 aggr_tuples | ^/usr/lbin/swagent$, 28800 suppression | 1 suppression_report | 1 suppression_interval | 6h suppression_count | 100 suppression_targets_to_ignore | ^/etc/passwd$ | ^/etc/group$ | ^/stand/vmunix$ | ^/stand/system$ | ^/\.rhosts$ | ^/etc/inetd\.
Table E-1 Template Mapping Keyword Description race_condition Race Condition buffer_overflow Buffer Overflow login_logout Login/Logout append_only Changes to Log File read_only Modification of files/directories setuid or setgid Creation and Modification of setuid/setgid File world_writable Creation of World-Writable File failed_login Repeated Failed Logins Template failed_su Repeated Failed su Commands Template non_owned Modification of Another User’s Files The template property specif
NOTE: In the Schedule Manger window, only the property values "N1 | N2 | ... | Np" are entered when setting a template property. Do not enter the Property-name or the first pipe( | ) character in the example when entering a template property in a template property edit window. The following semantics are used when parsing template properties: • Multiple consecutive occurrences of space and tab characters are equivalent to a single space character. • The hash character (#) is the comment character.
F Error Messages This appendix describes errors and messages that may be produced by the Agent and System Manager programs. This appendix addresses the following topics: • “Agent Messages” (page 255) • “System Manager Messages” (page 261) Agent Messages This section describes error messages that are displayed on agent systems. NOTE: These messages are produced by agent processes. If you see a message that is not described and you cannot resolve the problem, contact HP support.
Table F-1 Agent Error Messages (continued) Error Message Meaning Action idsagent: alert log creation failed The idsagent failed to create the /var/opt/ids/alert.log local alert log file. Check that the directory exists, that it is owned by user:group ids:ids; that it has 700 permissions, and that the /var partition has free space available.
Table F-1 Agent Error Messages (continued) Error Message Meaning Action idsagent: please run the /opt/ids/bin/ IDS_importAgentKeys script to complete IDS installation The final stage of the certificate installation process was not performed. Execute the IDS_importAgentKeys program to import the certificates for this agent. idsagent: process (PID:pid) pname died abnormally with error: msg An HP-UX HIDS agent subprocess with PID pid and name pname has failed unexpectedly, as described in msg.
Table F-1 Agent Error Messages (continued) Error Message Meaning Action idsagent: error trying to shut down a process The idsagent was unable to cleanly This error can occur, but shut down one of the HP-UX HIDS idsagent still cleans up subprocesses. processes. idsagent: failed to allocate memory An internal memory error occurred. Contact HP support. idsagent: failed to create schedule path file name An internal memory error occurred. Contact HP support.
Table F-1 Agent Error Messages (continued) Error Message Meaning Action idsagent: failed to initialize schedule in crontab idsagent was unable to create a set Verify that the user ids is present in of crontab entries for user ids to manage schedule execution. the/var/adm/cron/cron.allow file. idsagent: group named group An internal error occurred. not found Contact HP support. idsagent: internal error (no correlator) in PM_StartProcesses The /etc/opt/ids/ids.cf file may be corrupt.
Table F-1 Agent Error Messages (continued) Error Message Meaning Action idsagent: not enough disk space to save config file The system has exhausted the disk Clean up the root file system space in the root file system partition. partition to free space. idsagent: out of process table space There are no process table slots free on the system. Your system has run out of process table space. Either kill unneeded processes or reconfigure the kernel to allow for more user processes.
Table F-1 Agent Error Messages (continued) Error Message Meaning Action Internal error: unknown state An internal error occurred. Contact HP support. unable to open the response script directory dir idsagent was unable to open or read the /opt/ids/response directory which contains the alert response scripts. Ensure that the directory exists, that it is owned by user:group ids:ids, and that it is readable and executable by user ids.
Table F-2 System Manager Error Messages (continued) Error Message Meaning Action FATAL ERROR: Cannot listen on adminPort. Check if port is already in use on this host Exiting...... A check is made to make sure that the program can receive messages on the requested port. An error is generated if an unknown interface is specified. Ensure that the specified port number is valid. Host Name and IP address must You tried to add a host without be provided - Add Host Error.
Table F-2 System Manager Error Messages (continued) Error Message Meaning Action No host selected. At least one host must be selected - Host Selection Error. The requested action on the host cannot be performed, since no host was selected. Before requesting any action, select a host. No more instances of searchstring found - Find Error. No further occurrences of the search Search is discontinued, since no string have been found. instances of the search string can be found.
Table F-2 System Manager Error Messages (continued) Error Message Meaning Action Select Surveillance Schedule to delete - Selection Error. You tried to delete a schedule without selecting one. Select a surveillance schedule before deleting it. Select Surveillance Schedule to be modified - Selection Error. Schedule modification was attempted without selecting a schedule. Select a surveillance schedule before modifying it.
Table F-2 System Manager Error Messages (continued) Error Message This host (hostname) has multiple network addresses. The INTERFACE configuration setting in idsgui must specify the hostname/IP address of the interface to listen for connections from agents or 0.0.0.0 to listen on all interfaces. Meaning Action Either select a specific IP address or 0.0.0.0. If you select a specific IP address, it must correspond to the network interface for the network connecting the administration and agent systems.
Table F-2 System Manager Error Messages (continued) Error Message Meaning Action An error occurred during the Unable to Overwrite: filename The application was unable to overwrite the file using the specified save operation. Ensure the - File Save Error. name. availability of sufficient disk space. Unknown Host - unable to The IP address of the host, which resolve IP Address IPaddress. you tried to add, could not be resolved. Ensure that the correct IP address is used for the host.
G Troubleshooting This appendix describes various steps you can take in resolving problems on the agent and administrative systems.
• • • • “System Manager times out on agent functions such as Activate and Status Poll” (page 278) “UNKNOWN program and arguments in certain alert messages” (page 278) “Using HP-UX HIDS with IPFilter and SecureShell” (page 279) “Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems” (page 281) Troubleshooting This section describes a variety of potential problems and their solutions.
Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present □ If your lsdev result shows /dev/idds is present, and yet the idsagent debug-enabled log file (run with /opt/ids/bin/idsagent -d -l log_file_name) complains about idds not being enabled, it is probable that there is an installation or kernel-build error.
Agent halts abnormally, leaving ids_* files and message queues □ If a running agent was not halted as described in “Halting HP-UX HIDS Agents” (page 65) (for example, the agent was stopped with kill -9), then you need to clean up the message queues, which the agent uses for interprocess communication (IPC). This is important because the kernel has a limited number of message queues that IDS and other applications need in order to run.
• /var/opt/ids/gui/logs/Trace.log • /var/opt/ids/gui/guiError.log Agent needs further troubleshooting □ □ □ Create a directory for the logging information (for example, /var/log) Restart the idsagent process with debugging enabled: • /sbin/init.
Alert date/time sort seems inconsistent □ Two factors come into play in this seeming inconsistency: First, the agent’s date/time stamp is based on the local host time when the alert was received. Second, the time the System Manager uses to sort the alert is based on the UTC when the alert actually occurred. Under normal circumstances, these two times are identical. On occasion, however, there may be a difference depending on internal processing time, which may make the alert list inconsistent.
Buffer overflow triggers false positives □ Because Buffer Overflow uses a heuristic, it may trigger false positives. If it does, please document what actions were performed that generated the alert, and contact HP support so we can improve the heuristic. For more information on buffer overflow, see “Some Template Configuration Guidelines” (page 84).
IDS_genAgentCerts, are not installed, you can copy the directory /etc/opt/ids/ids/certs/agent (and its contents) from a remote agent host to the administration host. The idsadmin Command notifies of bad certificate when pinging a remote agent Idsamin may notify of bad certificates if the certificate created on the admin host for the agent is not yet valid on the agent host due to the system time difference between the admin host and the remote agent host. For example: ./idsadmin -a hostname -i 1.2.3.
IDS_genAdminKeys or IDS_genAgentCerts does not complete successfully □ □ □ The normal completion is shown in the steps in “Setting Up HP-UX HIDS Secure Communications” (page 34). Check the messages in the error log file /var/opt/ids/certs.log for correctable errors. Contact HP Support. IDS_genAdminKeys or idsgui quits early On occasion, apparently due to a swlist timeout, the IDS_genAdminKeys and idsgui commands may quit early.
1. Is the agent running? On the agent host, run ps -ef grep idsagent If there is no entry for idsagent, start the agent on the agent system, as in “Starting HP-UX HIDS Agents” (page 61). Then, on the System Manager screen, click the Status button. 2. Is the IP address for the agent correct in the Host Manager screen? Test with nslookup. Is the Domain Name Service (DNS) set up correctly? Test with nslookup. Can the administration system communicate with the agent system? Test with ping.
Reflection X rlogin produces multiple login and logout alerts When logging in using rlogin within Reflection X, the login/logout template will report two login alerts followed immediately by a logout alert. This is expected behaviour and reflects how Reflection X immediately terminates a login session after bringing up a remote window.
screen). This appears to be a synchronization problem between the native window manager (typically, mwm) and the Java windowing manager. Restarting the native window manager may resolve the problem; if not, the System Manager should be restarted. System Manager does not let you save files to specific directories □ Verify that the user ids has read/write permission for the directory to which you are trying to save a file.
invoked with UNKNOWN arguments, as process with p id 22125 and ppid 22124 and running with effective uid=101 and with effective gid=10 See “Limitations” (page 139) for details. Using HP-UX HIDS with IPFilter and SecureShell The HP-UX implementation of the IPFilter firewall system can be configured to allow communication among the HP-UX HIDS administration and agent systems.
pass in quick proto tcp from any to any port = 22 flags S keep state keep frags 6. Block any incoming connections which were not explicitly allowed. block in log quick all How to allow the SecureShell daemon to forward X11 traffic First, change the SecureShell /etc/opt/ssh/sshd_config configuration file: • Set X11Forwarding to yes, • Set X11UseLocalhost to no. Earlier versions of ssh don’t recognize the second entry. If it’s not there, you don’t need to add it.
xsvr3: xsvr3: xsvr3: xsvr3: xsvr3: Channel 0 Channel 0 X problem Channel 0 Channel 0 sends ieof. receives input eof. fix: close the other direction. receives output closed. terminates. Cause: This is a simplified explanation. When you log in to a remote host, and you try to run an X client program on the X server (that is, on your local host), the client needs to authenticate itself with the X server. To do this, it gets what is called an MIT-MAGIC-COOKIE, which is stored in ~/.Xauthority.
and JAVA_MINOR_NUM_MAX="5" to JAVA_MINOR_NUM_MAX="4" These changes ensure that idsgui uses only Java 1.4.x. NOTE: The GUI might run with some limitations with Java 1.4.x. Numerous warnings or errors in /var/opt/ids/gui/logs/Trace.log and /var/opt/ids/gui/guiError.log may result in very large files that can a consume considerable amount of disk space.
H HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
* the OpenSSL Project. * 6. Redistributions of any form whatsoever must * retain the following acknowledgment: * "This product includes software developed by the * OpenSSL Project for use in the OpenSSL Toolkit * (http://www.openssl.org/)" * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT * ``AS IS'' AND ANY * EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* can be in the form of a textual message at * program startup or in documentation (online or * textual) provided with the package. * Redistribution and use in source and binary * forms, with or without modification, are * permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain * the copyright notice, this list of conditions * and the following disclaimer. * 2.
HP Software License Terms The following License Terms govern your use of the accompanying Software. License Grant. HP grants you a license to Use one copy of the Software. "Use" means storing, loading, installing, executing or displaying the Software. You maynot modify the Software or disable any licensing or control features of the Software. If the Software is licensed for "concurrent use", you may not allow more than the maximum number of authorized users to Use the Software concurrently. Ownership.
and any accompanying documentation by the applicable FAR or DFARS clause or the HP standard software agreement for the product involved. Disclaimer TO THE EXTENT ALLOWED BY LOCAL LAW, THE SOFTWARE IS PROVIDED TO YOU "AS IS" AND WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, EXPRESS OR IMPLIED. HP SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF A THIRD PARTY’S INTELLECTUAL PROPERTY.
