HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

271

272

273

274

275

276

277

278

279

280

Reflection X rlogin produces multiple login and logout alerts

When logging in using rlogin within Reflection X, the login/logout template will

report two login alerts followed immediately by a logout alert. This is expected

behaviour and reflects how Reflection X immediately terminates a login session after

bringing up a remote window.

Response Program gets an empty host name or IP address on HP–UX 11i v1

On 11i v1, the response program arguments that contain the value of the remote host

name and IP address of the attacker (see Appendix B, Table B-1 (page 194)) can be empty

due to corrupt wtmp file. To verify if wtmp is corrupt, run the last command. If the

last command gets a segmentation violation, then wtmp is corrupt. To recreate wtmp,

execute the following commands as root:

• # rm -f /var/tmp/wtmp

• # touch /var/tmp/wtmp

• # chown adm:adm /var/tmp/wtmp

• # chmod 644 /var/tmp/wtmp

On HP–UX 11i v2 operating systems, if removing wtmp still produces an error when

running the last command, also remove /var/adm/wtmps (it is automatically

recreated).

Schedule Manager timetable screen appears to hang

□ The visual refresh of the day, time, and surveillance group matrix (which the

System Manager maintains in the Schedule Manager timetable screen) is CPU

intensive and hence may appear to be slow on some systems.

SSH does not perform a clean exit after idsagent is started

After starting idsagent from a ssh login, logging out of the agent system results in the

ssh session hanging indefinitely. The following are some workarounds:

ssh -l root <machine> /usr/dt/bin/dtterm

ssh -l root <machine> "/sbin/init.d/idsagent start

ssh -l root <machine> "su -ids -c '/opt/ids/bin/idsagent -a' 2>&1"

System Manager appears to hang

□ This may result if the System Manager is in the process of resyncing a large number

of alerts from a specific host. There are two possible workarounds for this problem:

• Wait. The System Manager will resume normal behavior when it completes

resynchronizing.

• Kill the System Manager. Move the file /var/opt/ids/alert.log to another

name on the agent host with which the System Manager is attempting to

resynchronize; then restart the System Manager.

□ The System Manager may also hang and not refresh itself as a result of interaction

with the System Manager screen (for example, when a user attempts to resize the

Troubleshooting 277