HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

271

272

273

274

275

276

277

278

279

280

1. Is the agent running? On the agent host, run

ps -ef grep idsagent

If there is no entry for idsagent, start the agent on the agent system, as in

“Starting HP-UX HIDS Agents” (page 61).

Then, on the System Manager screen, click the Status button.

2. Is the IP address for the agent correct in the Host Manager screen? Test with

nslookup.

3. Is the Domain Name Service (DNS) set up correctly? Test with nslookup.

4. Can the administration system communicate with the agent system? Test with

ping.

5. Is the agent communicating correctly with the administration system? Check

the entry for REMOTEHOST in the /etc/opt/ids/ids.cf agent configuration

file. It must be set to the host name or IP address of the administration system.

If the INTERFACE variable is set to an IP address (other than 0.0.0.0) in

/opt/ids/bin/idsgui on the administration system, REMOTEHOST must

be set to the same value. See “Configuring a Multihomed Administration

System” (page 44) and “Setting Up HP-UX HIDS Secure Communications”

(page 34).

6. Have the secure communications certificates expired?

– On the administration system, run the script

/opt/ids/bin/IDS_checkAdminCert. If the certificate has expired,

rerun /opt/ids/bin/IDS_genAdminKeys with the update parameter.

See “Setting Up HP-UX HIDS Secure Communications” (page 34).

– On the agent system, run the script

/opt/ids/bin/IDS_checkAgentCert. If the certificate has expired,

rerun /opt/ids/bin/IDS_genAgentCerts for the agent on the

administration system. Then reimport the certificates on the agent system

with /opt/ids/bin/IDS_importAgentKeys. See “Setting Up HP-UX

HIDS Secure Communications” (page 34) .

Normal operation of an application generates heavy volume of alerts

□ To avoid becoming overwhelmed with unnecessary alert generation, you will need

to customize the detection templates to meet the needs of your particular

environment. If you have an application that generates a heavy volume of alerts

during its normal mode of operation, you can reduce this occurrence by entering

additional filtering into the necessary detection templates (most offer mechanisms

by which these spurious alerts can be suppressed).

□ For example, a system with the Resource Management subsystem might trigger

a heavy volume of alerts since it frequently updates some files in

/etc/opt/resmon. You can go to the Schedule Manager and modify the

“Modification of files/directories” template to have it ignore the /etc/opt/resmon

directory. (This filtering is provided by default in HP-UX HIDS version 2.2.)

□ See “Suggested Best Practices” (page 83).

276 Troubleshooting