HP-UX Host Intrusion Detection System Version 4.
Legal Notices Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.......................................................................................................15 Intended Audience................................................................................................................................15 New and Changed Information in This Edition...................................................................................15 Publishing History..........................................................................
3 Getting Started with HP-UX HIDS...............................................................................43 HIDS Quick Start Guide.......................................................................................................................43 Agents...................................................................................................................................................44 System Manager...................................................................................
Some Template Configuration Guidelines......................................................................................69 Setting Surveillance Schedule Timetables............................................................................................70 Specifying When a Schedule Will Run............................................................................................71 Canceling Changes.......................................................................................................
Marking Entries as Seen or Unseen...............................................................................................100 Saving a Log File Set......................................................................................................................100 Saving the Current Log File Set................................................................................................101 Saving a New Log File Set.................................................................................
Repeated Failed Logins Template.......................................................................................................151 Failed Login Attempts...................................................................................................................152 Repeated Failed su Commands Template..........................................................................................153 Repeated Failed su Attempts.............................................................................
Step 3: Updating and Deploying the Schedule........................................................................184 Generating Alert Reports Using the idsadmin Command.................................................................184 The idsadmin Command Reporting Options................................................................................185 Using the idsadmin Command to Generate Reports..................................................................
No Agent Available........................................................................................................................218 Normal operation of an application generates heavy volume of alerts........................................218 Reflection X rlogin produces multiple login and logout alerts.....................................................219 Schedule Manager timetable screen appears to hang...................................................................
List of Figures 1-1 4-1 5-1 5-2 5-3 5-4 5-5 5-6 5-7 5-8 5-9 5-10 5-11 5-12 5-13 5-14 5-15 5-16 5-17 5-18 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 6-9 6-10 7-1 7-2 7-3 7-4 7-5 8-1 8-2 8-3 8-4 C-1 C-2 C-3 C-4 10 HP-UX HIDS Components............................................................................................................25 System Manager Screen.................................................................................................................48 Schedule Manager Screen.................
List of Tables 1 2-1 2-2 4-1 4-2 5-1 8-1 8-2 8-3 8-4 A-1 A-2 A-3 A-4 A-5 A-6 A-7 A-8 A-9 A-10 A-11 A-12 A-13 A-14 A-15 A-16 A-17 A-18 A-19 A-20 A-21 A-22 A-23 A-24 A-25 A-26 A-27 A-28 A-29 A-30 B-1 B-2 B-3 B-4 B-5 B-6 B-7 B-8 B-9 HP-UX 11i Releases.......................................................................................................................17 IDS Scripts Used to Set Up Secure Communications....................................................................
C-1 C-2 D-1 D-2 D-3 D-4 F-1 F-2 12 The tune Command Options.....................................................................................................181 Reporting Options Supported by idsadmin..............................................................................185 Global Configuration Variables...................................................................................................192 Correlator Configuration Variables..........................................................
List of Examples B-1 B-2 B-3 B-4 B-5 B-6 B-7 B-8 C-1 C-2 C-3 C-4 C-5 C-6 C-7 C-8 C-9 C-10 C-11 E-1 Response Program.......................................................................................................................171 Sending Alerts Through Email....................................................................................................172 Storing Alerts in Log Files...........................................................................................................
About This Document This document describes how to configure and administer the HP-UX HIDS software on HP-UX servers and workstations running HP-UX 11i v2 or HP-UX 11i v3. The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
Chapter 3 Getting Started with HP-UX HIDS: Provides information about the procedures you must follow to get the System Manager and agents up and running on the administrative and monitored systems. Chapter 4 System Manager Screen: Describes the tasks you can perform using the HP-UX HIDS System Manager screen. Chapter 5 Schedule Manager Screen: Describes how to configure surveillance schedules, surveillance groups, and detection templates using the HP-UX HIDS Schedule Manager screen.
Emphasis Text that is strongly emphasized. Term The defined use of an important word or phrase. ComputerOut Text displayed by the computer. UserInput Commands and other text that you type. Command A command name or qualified command phrase. Variable The name of a variable that you may replace in a command or function or information in a display that represents several possible values. [] The contents are optional in formats and command descriptions.
1 Introduction This chapter introduces the HP-UX Host Intrusion Detection System (HP-UX HIDS) software, an HP-UX product that enhances the local host-level security within your network.
the serious problem that comes from within. Industrial corporate espionage is also a significant threat. How are These Threats Realized? This section discusses the circumstances that lead to some common security problems. Misplaced Trust Trust can be misplaced during any of the following events: • • • • • While accessing the website of a specific company, you trust that it is the website of the company you intend to visit. When you download product data from a website, you trust that it is accurate.
are not designed to handle security attacks. Moreover, most codes run with more privileges than it needs to accomplish a task. Often a site installs its web server to run as root, granting it far greater privileges than it needs to serve up websites and CGI scripts. Web servers that run as root are easy targets for attack. CGI scripts are easily accessible, and any individual can gain complete root privileges to such systems.
against denial-of- service attacks. Despite all the advantages of encryption, it is only part of an overall security solution. Security Auditing Tools A security auditing tool probes systems and networks for potential vulnerabilities that attackers can exploit, generates a report identifying holes and recommends fixes. Whenever the system administrator finds the holes, he or she must quickly patch them before they are exploited.
HP-UX HIDS Functionality HP-UX Host Intrusion Detection System (HIDS) is an intrusion detection system that enhances local host-level security within a network. It automatically monitors each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If an intrusion is successful, it can lead to the loss of availability of key systems or compromise system integrity.
HP-UX HIDS Components HP-UX HIDS includes the following components: • • • • • • • System Manager The System Manager is a GUI that enables you to configure, control, and monitor the HP-UX HIDS system. Any intrusions detected are reported as alerts. Host-based agent The host-based agent gathers system data, monitors system activity, and issues intrusion alerts. Detection templates Detection templates contain the most commonly encountered system attack patterns.
Figure 1-1 HP-UX HIDS Components HP-UX HIDS monitors system activity by analyzing data from the following file sources: • Kernel audit data • System log files HP-UX HIDS analyzes this information against its configured attack scenarios. It then identifies possible intrusions and misuse immediately following any suspected activity. The suspected activity simultaneously communicates an alert and detailed information about the potential attack to the HP-UX HIDS System Manager.
The information also includes parameters and outcomes, and is the lowest level of data utilized by HP-UX HIDS. This data can also include information about starting and stopping sessions for users. NOTE: HP-UX HIDS is independent of security configurations. It does not use the HP-UX C2 auditing capability, nor does it require that the system being monitored to be configured in trusted mode.
Data Source Process (DSP) A component of the HP-UX HIDS agent that reads the data sources and presents the information for alert calculation. Detection template Basic building block or pattern to be used to combat security attacks on systems. Duplicate alert An alert whose attacker (uid), target, type of attack (action), and program name attributes are same as one of the alerts already reported by HIDS, within the specified Suppression Count and Suppression Interval values.
Tune Report A report containing a summary of all the unique alerts across multiple agents that are running the same schedule and that includes suggested filtering rules. The Tune Report is generated by the idsadmin tune command and is not an Alert Report generated by the idsadmin report command Virus A piece of potentially malicious code that, when run, attaches itself to other programs. When these programs are executed, the malicious code is also executed.
2 Configuring HP-UX HIDS This chapter describes how to configure HP-UX HIDS System Manager and the Agent software. For information on installing HIDS, see HP-UX HIDS Release 4.1 Release Notes.
for the components to identify themselves and to authenticate that any information received from another HP-UX HIDS component is genuine and not initiated by an unauthorized outsider. HP-UX HIDS provides a toolset to generate X.509 certificates. The System Manager does not start until you establish secure communication. Table 2-1 lists and describes the IDS scripts you can use to set up an SSL environment.
1. Create the X.509 Certificates To create a certificate for the HP-UX HIDS System Manager process, first generate the ids user locally on the HP-UX HIDS administration system. Only then can the certificates for each of the agent nodes be signed by the HP-UX HIDS administration system. The administration system holds the Root Certification Authority (Root CA) that endorses all other certificates. a. On the administration system, log in as follows: $su - ids b.
$IDS_genAgentCerts In this process, each host name or IP address you enter is checked for validity, using the nslookup command. For more information, see nslookup( 1) . If you enter a host name and nslookup returns a single IP address, the host name and IP address are saved in a temporary file and the key bundle is created. If you enter an IP address and nslookup returns a host name, the host name and IP address are saved in a temporary file and the key bundle is created.
$ IDS_genAgentCerts ==> Be sure to run this script on the IDS Administration host. Generate keys for which host? 2001::db8:100 Generating key pair and certificate request for IDS Agent on 2001::db8:100.... Signing certificate for IDS Agent on 2001::db8:100 ... Certificate package for IDS Agent on 2001::db8:100 is /var/opt/ids/tmp/2001::db8:100.tar.Z Next hostname (^D to quit)? myhost2 Generating key pair and certificate request for IDS Agent on myhost2.... Signing certificate for IDS Agent on myhost2 ...
installation. ******************************************** **************** The agent certificate bundles are generated and stored in the following files: • /var/opt/ids/tmp/myhost1.tar.Z • /var/opt/ids/tmp/myhost2.tar.Z • /var/opt/ids/tmp/15.27.43.6.tar.Z • /var/opt/ids/tmp/2001::db8:100.tar.Z NOTE: The IDS_genAdminKeys and IDS_genAgentCerts commands include options to provide alternate key lengths and alternate expiration dates for the administration and agent certificates.
3. Installing the keys on each host Install the bundle of keys generated for each agent system on that system. Store the agent certificate bundle in the /var/opt/ids/tmp directory. a. Log in as follows: $su - ids b. Change directory to /opt/ids/bin, as follows: $cd /opt/ids/bin c. d. Store the key bundle in a directory, such as /var/opt/ids/tmp. Import the following key bundle: $IDS_importAgentKeys /var/opt/ids/tmp/agentsys.tar.
1. Determine if the agent system is multihomed. Use the nslookup command to determine which IP address corresponds to the host name of the system. If more than one IP address is returned by nslookup, your system is multihomed. If only one IP address is returned, your system is not multihomed. NOTE: 2. No modifications are needed for a system that has only one IP address. Select the interface on which you want the HP-UX HIDS agent to communicate with the administration system.
The HP-UX HIDS agent software is installed on a system named large, that has four network interface cards, each with a unique IP address. Three of the IP addresses are mapped to aliases large1, large2, and large3 as shown by the following commands: $nslookup large ... Addresses: 1.2.3.4, 1.2.5.10, 1.5.6.7, 2001:db8::100 $nslookup large1 ... Address: 1.2.3.4 $nslookup large2 ... Address: 1.2.5.10 $nslookup large3 ...
NOTE: If an HP-UX HIDS agent system, with which the administration system has to communicate, uses an IPv4 address for communication, the administration system must also use an IPv4 address to communicate with that agent. To communicate with IPv6 address agent system, the administration system must also use an IPv6 address. To communicate with the IPv4 and IPv6 agents, the administration system must have both IPv4 and IPv6 address configured. The choice of address depends on your network topology.
REMOTEHOST to REMOTEHOST 192.0.2.4 or REMOTEHOST 2001:db8::100 NOTE: The REMOTEHOST parameter is overridden when you import the certificate bundle with IDS_importAgentKeys. 13. Save the file with your modifications. 14. If the agent is running, force it to reread its configuration file, as described in “Forcing Active Agent to Reread Configuration File” (page 191).
5. Edit the System Manager script, as follows: $ vi /opt/ids/bin/idsgui 6. Set the value of INTERFACE in idsgui to the following: INTERFACE=127.0.0.1 7. 8. Start the System Manager. For more information, see “Starting the HP-UX HIDS System Manager” (page 49). On the Host Manager screen, set up the administration system as an agent system, using 127.0.0.1 as its IP address. For more information, see “Adding a New Host Manually” (page 84) and “Modifying a Host” (page 88).
max_thread_proc = 2 * + 18 Where: num_agents is the number of agent systems to be monitored. By default, max_thread_proc is set to its minimum value, 64, which allows for 23 agents. The maximum value of max_thread_proc is governed by the configurable kernel parameter nkthread, which you can increase if you have a larger number of agents. NOTE: The max_thread_proc is a dynamic tunable in HP-UX 11i version 1.6 and later. In earlier versions of HP-UX, a change to this parameter requires a reboot.
1. To view the current value, enter the following command: # ndd -get /dev/tcp tcp_conn_request_max If this value is 20, or some number smaller than the number of agent systems, then proceed to Step 2 and adjust it to the number of agents you plan to monitor, or greater. 2. To change the value, log in as root and modify the /etc/rc.config.
3 Getting Started with HP-UX HIDS This chapter provides an overview of the operation HP-UX HIDS and the procedures used to get the System Manager and agents up and running on the administrative and monitored systems. This chapter addresses the following topics: • “HIDS Quick Start Guide.
Agents The HP-UX HIDS agent software must be running continually on the systems you are monitoring for it to detect and report intrusions as they occur. When an agent is running a schedule, it records intrusion alerts and agent program errors in local log files. When the System Manager is running on the administration system, and is monitoring the agent, alerts and errors are transferred to log files on the administration host.
4. Log in to the administration system as root and start the System Manager as the ids user. For more information, see “Starting the HP-UX HIDS System Manager” (page 49). a. Login as ids: # su ids b. Start the System Manager program. $/opt/ids/bin/idsgui c. 5. 6. 7. 8. 9. The first time you start the System Manager, the product license agreement is displayed. This text is also printed in “HP Software License” (page 225). Click Accept to continue or Reject if you are not ready to use the software.
For more information, see Chapter 5: “Using the Schedule Manager Screen” (page 57) . • Host Manager In the Host Manager screen, you can specify and enable the agent hosts you want to monitor. For more information, see Chapter 6: “Using the Host Manager Screen” (page 83). • Network Node The Network Node screen displays the alerts and error messages that have been generated by an agent. Each agent is displayed on a separate screen.
4 Using the System Manager Screen This chapter describes the tasks you can perform using the HP-UX HIDS System Manager screen.
Figure 4-1 System Manager Screen 48 Using the System Manager Screen
Starting the HP-UX HIDS System Manager The HP-UX HIDS System Manager program, idsgui, must run as user ids. Start it from the shell. To start the HP-UX HIDS System Manager, follow these steps: 1. Log in to the administration system as root. 2. Switch to ids. # su ids 3. Start the HP-UX HIDS System Manager: $/opt/ids/bin/idsgui The System Manager screen is displayed. The screen appears in about 16-20 seconds. NOTE: You can run only one instance of System Manager at a time on the administration system.
Table 4-1 Monitored Nodes Column Description Status The current state of an agent host and any surveillance schedule. The possible status values are described in Table 4-2 (page 50). Host The host name assigned on the Host Manager screen. Address The host IP address assigned on the Host Manager screen. Tag The tag name assigned on the Host Manager screen. Schedule The name of the surveillance schedule that is currently loaded, scheduled or running on this host.
• • “Halting HP-UX HIDS Agents” (page 54) “Accessing Other Screens” (page 55) — “Schedule Manager Screen” (page 55) — “Host Manager Screen” (page 55) — “Network Node Screen” (page 56) — “Preferences Screen” (page 56) — “Returning to the System Manager Screen” (page 56) Starting HP-UX HIDS Agents Normally, after valid certificates have been imported, the HP-UX HIDS agent starts automatically with /sbin/init.d/idsagent start when the agent host is booted. To start it manually, use the following procedure.
1. 2. On the System Manager screen, in the Monitored Hosts list, select the hosts status you want to update. Select one of the following options: • Click the Status button. • Choose the Actions > Status Poll menu item. • Press Shift+F7. • Right-click in the Monitored Hosts area and select Status Poll from the menu. The System Manager begins polling the selected hosts and returns an updated value in the Status field. These values are described in Table 4-2 (page 50).
2. Select one of the following options to resynchronize: • Click the Resync button. • Choose the Actions > Resync menu item. • Press Shift+F6. • Right-click in the Monitored Hosts area and select Resync from the menu. Any alerts in each agent’s log file that are newer than the last one seen by the System Manager are transferred to the System Manager’s log files. The numbers are updated on the Monitored Hosts list and the alerts and errors are displayed on the Network Node screen for each host.
2. Select one of the following options to stop the schedule: • Click the Stop button. • Choose the Actions > Stop Schedule menu item. • Press Shift+F3. • Right-click in the Monitored Hosts area and select Stop Schedule from the menu The schedules are stopped and removed from the selected hosts. The Status field is set to Available and the Schedule field is set to None. To restart the schedules, you must activate them again. For more information, see “Activating Schedules on Agent Hosts” (page 53).
Procedure 4-9 To halt the agent locally on the agent host, follow these steps: • On the agent host, perform one of the following steps to halt the agent locally: • Log in to the agent system as root and enter the following command: $ kill -TERM $(cat /var/opt/ids/idsagent.pid) NOTE: • You can also do this as user ids. Log in to the agent system as superuser (root) and enter the command: $/sbin/init.
Network Node Screen The Network Node screen displays the alerts and errors for a selected agent host. To view the Network Node screen for an agent host, follow these steps: 1. 2. On the System Manager screen, in the Monitored Hosts list, select the hosts you want to view. Perform one of the following tasks: • Choose the View > Network Node menu item. • Press Ctrl+B. For each selected host, a Network Node screen appears with the current contents of the host’s alerts and errors log displayed.
5 Using the Schedule Manager Screen This chapter describes how to configure HP-UX HIDS surveillance schedules, surveillance groups, and detection templates.
• • 58 The Global Properties tab, where you can specify whether to aggregate specific program alerts, monitor failed attempts, or suppress duplicate alerts. To configure alert aggregation, see “Configuring Alert Aggregation” (page 72). To monitor the successful and failed attempts of creating, deleting, and modifying critical files or directories, see “Configuring Monitor Failed Attempts” (page 75).
Creating a Surveillance Schedule This section describes about how to create a surveillance schedule. To create a surveillance schedule, follow these steps: 1. Create a surveillance schedule name. The schedule will contain one or more surveillance groups. For more information, see “Configuring Surveillance Schedules” (page 60).
Opening the Schedule Manager Screen This section describes about how to open the Schedule Manager screen: To open the Schedule Manager screen, follow the step given below: • On the System Manager screen, perform one of the following steps: • Choose the Edit > Schedule Manager menu option • Press Ctrl+S. • Double-click anywhere in the Schedules panel or on a schedule name The Schedule Manager screen (Figure 5-1) is displayed with the Configure tab active.
NOTE: The /etc/opt/ids/schedules/sample directory contains read-only copies of the predefined schedules. Users who want to revert back to the original predefined schedules can manually copy them from /etc/opt/ids/schedules/sample into /etc/opt/schedules. Creating a New Surveillance Schedule This section describes about how to create a new surveillance schedule. To create a new surveillance schedule, follow the steps: 1. Go to the Schedule Manager screen. 2. Create a name for the new surveillance schedule.
3. Create a name for the new surveillance schedule. a. Press the Copy button on the Schedules panel. This opens the Copy Surveillance Schedule dialog box (Figure 5-3). Figure 5-3 Copy Surveillance Schedule Dialog b. c. Enter a name in the input field. Valid characters are alphanumeric and underscore; the first character must be alphanumeric. Schedule names are case-sensitive. If you include invalid characters, you will be prompted to replace them with underscores.
2. Open the Rename Surveillance Schedule dialog box (Figure 5-4) by performing one of the following tasks: • Click the Rename button in the Schedules panel This only changes the names of the schedule and its disk file. The schedule is not saved to disk. • Choose File >Save Selected Schedule As This changes the schedule and file names, and saves the schedule to the disk. Figure 5-4 Rename Surveillance Schedule Dialog 3. 4. Edit the name in the input field.
2. 3. Select the schedule in the Schedules panel. Save the schedule by using one of the following options: • Click the Save button • Choose File > Save Selected Schedule Configuring Surveillance Groups Surveillance groups are the building blocks of surveillance schedules. They are made up of one or more detection templates. You can create, edit, modify. or delete surveillance groups. You can also choose to edit one of the predefined surveillance groups.
3. Create a name for the new surveillance group. a. Click the Copy button on the Surveillance Groups panel. This opens the Copy Surveillance Group dialog box (Figure 5-6). Figure 5-6 Copy Surveillance Group Dialog b. c. Enter a name in the input field. Valid characters are alphanumeric and underscore; the first character must be alphanumeric. Schedule group names are case-sensitive. If you include invalid characters, you will be prompted to replace them with underscores.
Figure 5-7 Rename Surveillance Group Dialog 4. 5. Edit the name in the input field. Valid characters are alphanumeric and underscore. The first character must be alphanumeric. Group names are case-sensitive. If you include invalid characters, you will be prompted to replace them with underscores. Click OK to change the name and Cancel to leave the name unchanged. Deleting a Surveillance Group This section provides steps to delete a Surveillance Group.
The parameters for a template may be configured once the detection template is added to a surveillance group. At this point, you will be able to view all the editable properties. You can also change the default values of these properties. Modifying a Property Value in a Template The values you add, modify, or delete are local to the current group. Other groups can have different values for the same template properties. To change the value of a property in a detection template, follow the steps: 1.
5. If the value is a list (zero or more values in brackets, for example, [0, 1, 5, 11]), the Edit List dialog box is displayed (Figure 5-9). Figure 5-9 Edit List Dialog Perform one of the following substeps to add, modify, or delete a value. a. To add a new value 1. Click the Add button. An Edit dialog box is displayed (Figure 5-10). Figure 5-10 Edit Dialog - Add 2. 3. b. Enter a value in the text box. In general, the value cannot be null. Click OK to insert the value and Cancel to quit without adding.
3. 4. c. Edit the value in the text box. In general, the value cannot be null. Click OK to accept the new value and Cancel to leave the value unchanged. To delete a current value 1. Highlight one of the values in the Edit List display. If you highlight more than one, the first one is processed. 2. Click the Delete button. The value is deleted. Lists can be empty. Undoing and Redoing Changes You can roll back and forth for the changes you have made by using the Undo and Redo buttons.
• • • • • • many alerts, which are not security relevant. The “Files Modified by Program List/Program List” properties can be used to ignore changes to certain files when they are performed by a known program. The pathnames_to_not_watch property can be used to ignore directories and files where changes to files are not considered as security risks. The template “Modification of Another User’s File Template” (page 144) generates many alerts if not tuned correctly.
Specifying When a Schedule Will Run To specify when a schedule will run, follow the steps: 1. Select the Timetable tab of the Schedule Manager screen (Figure 5-12). Figure 5-12 Schedule Manager Screen - Timetable Tab 2. 3. 4. Highlight the schedule name in the Schedules panel. The groups that are part of the schedule are displayed in the Selected Groups panel of the Schedule tab. In the Selected Groups panel, highlight one of the groups.
For example, you may select Monday, Tuesday, Friday, and Sunday. 7. In the Select Times panel, choose the hour blocks in which the group should run. This is a list, so you can use left-click to pick a hour, Shift-left-click to add in all intervening hours, and Ctrl-left-click to add or remove individual hours. For more detail, see “Selecting with the Mouse” (page 98).
enabled, the following alerts are issued and displayed in the GUI network nodes and logged in the alert log file (defined by the IDS_ALERTFILE configuration variable) of the agent: • • • File-related aggregated alerts File-related real-time alerts that could not be aggregated Non-file-related real-time alerts These alerts are also sent to any response programs in the response directory, as defined by the IDS_RESPONSEDIR configuration variable described in “Global Configuration” (page 192) (the default is
4. Select the Real Time Alerts option box to enable the generation of real-time alerts when alert aggregation is enabled. NOTE: When the Alert Aggregation option box is not selected, the Real Time Alerts option box is automatically selected to indicate that real-time alerts will be generated. 5. Enter the path name of a program under the Programs to Aggregate Alerts for table column to aggregate alerts triggered by a process running that program, and by the process’ descendent processes.
For example, a program with full path name /usr/bin/program can be invoked as program or as ../bin/program, or as /bin/program, where /bin is a symbolic link to /usr/bin. Under the conditions previously stated, alert aggregation cannot happen as expected if the regular expression ^/usr/bin/program$ is specified in the aggregation tuple instead of program.
1. Select a schedule in the Schedules panel. Figure 5-14 Schedule Manager Screen-Miscellaneous Tab 2. 3. 4. Select the Global Properties tab on the Schedule Manager screen. Select the Miscellaneous tab under the Global Properties tab. Select the Monitor Failed Attempts to Create/Modify/Delete Critical Files option. NOTE: 5. By default, this option is disabled. Click Save. The selection will be saved.
Figure 5-15 The Duplicate Alert Suppression Tab Duplicate Alert Suppression Options Following are the duplicate alert suppression options: • Duplicate Alert Suppression Select or deselect the Duplicate Alert Suppression checkbox to enable or disable duplicate alert suppression. By default, this property is enabled. You can also set this property by editing the ids.cf file. Comment out the following entry in the ids.
• Suppression Interval Use this property to suppress duplicate alerts (for any given alert) until the specified time in the Suppression Interval property has elapsed or the number of duplicate alerts is equal or greater than the Suppression Count property value. The default value of this property is 6 hours. This means that HIDS will suppress duplicate alerts for any given alert over a 6 hour period, unless the number of duplicate alerts for that alert exceeds the value of the Suppression Count property.
1. On the Schedule Manager screen (Figure 5-16), select the Details tab. Figure 5-16 Schedule Manager Screen - Details Tab 2. In the Schedules panel, select a schedule. The text version of the surveillance schedule is displayed. If times have not been assigned to groups in the schedule, the display will be very short. Refreshing the Details Display To refresh the display, follow the step given below: • Click on the Refresh button.
1. Perform one of the following tasks: • Click the Save button • Choose File > Save • Enter Ctrl+S The Save dialog box (Figure 5-17) is displayed. Figure 5-17 Save Dialog 2. Click OK to save, Cancel otherwise. If you click OK, the File Saved dialog box (Figure 5-18) is displayed. It shows the full path name that the schedule was saved as. The file is stored in /var/opt/ids/bin/gui/logs; /opt/ids/bin/gui/logs is a symbolic link. The file name is the name of the schedule with a .txt extension.
Table 5-1 Predefined Surveillance Schedules Surveillance Schedules Surveillance Groups FileAndLoginMonitoringAlwaysOn FileModificationGroup Detection Templates Changes to Log File Template Modification of files/directories Template Creation and Modification of setuid/setgid File Template Creation of World-Writable File Template Modification of Another User’s File Template LoginMonitoringGroup Login/Logout Template Repeated Failed Logins Template Repeated Failed su Commands Template FileLoginLogMonitor
Table 5-1 Predefined Surveillance Schedules (continued) Surveillance Schedules Surveillance Groups Detection Templates FileModificationsWeekdays FileModificationGroup Changes to Log File Template Creation and Modification of setuid/setgid File Template Creation of World-Writable File Template Modification of Another User’s File Template Modification of files/directories Template FileModificationsWeekends FileModificationGroup Changes to Log File Template Creation and Modification of setuid/setgid Fi
6 Using the Host Manager Screen This chapter describes the tasks you can perform using the Host Manager screen. This chapter addresses the following topics: • “Managing Hosts” (page 83) • “Adding New Hosts” (page 84) • “Modifying a Host” (page 88) • “Deleting a Host” (page 89) • “Enabling and Disabling Hosts” (page 89) • “Managing a Tag” (page 89) • “Maintaining Host Files” (page 91) Managing Hosts The Host Manager screen enables you to specify the host systems that you plan to monitor using HP-UX HIDS.
Figure 6-1 Host Manager Screen Closing the Host Manager Screen To close the Host Manager screen, complete the following steps: 1. On the Host Manager screen, choose one of the following options: • Select File > Close. • Press Ctrl+C. 2. If you have modified but not saved the current host list, the Host List Manager Modified dialog box is displayed. Select Yes to save the current list in the current file. The default host list file is /etc/opt/ids/gui/config/sentinal.hosts.
1. On the Host Manager screen, open the Add Host dialog box, shown on Figure 6-2, by following one of the steps below: • Select Edit > Add Host > Manually. • Click Add. • Right-click and select Add New Host from the menu. • Press Shift+F6.
2. Fill in the Host Name and IP Address fields. There are three ways you can do this, described in order of preference. A host name must start with a letter and contain only letters, digits, periods, underscores, and hyphens. Host names are not case sensitive. For example, xy3-z5 and xy3-z5.a32c.edu. The IP address can be an IPv4 or IPv6 address. An IPv4 address consists of four decimal fields, each in the range 0 to 255, separated by periods. For example 192.0.2.4. IPv6 addresses are in colon notation.
If the host name cannot be determined, the Add Host Error box is displayed with the message, Unknown Host Name - unable to resolve IP Address. Click OK and redo this step, making sure to enter a host name. NOTE: The IP address is the best method for adding a multihomed agent host. For more information, see “Configuring a Multihomed Agent System” (page 35). c. Host Name and IP Address Enter the host name of the agent host in the Host Name field.
2. 3. You can change the Files of type: dropdown list to All Files, and use the Look in: dropdown list with the display list to choose the directory where your file resides. Select your file from the list, and click Open to read the file, or Cancel to abort. The entries in the file are added to the hosts list according to “Rules for Host Lists Files” (page 88). The Monitored boxes are unchecked.
NOTE: When you modify a host entry’s host name, the old alert and error log file names are not changed. When new alerts or errors arrive for the renamed host entry, they go into new log files that have the new host name. Deleting a Host To delete a host entry, follow these steps: 1. On the Host Manager screen, select one or more entries in the host list. 2. Delete the entries by performing one of the following steps: • Select Edit > Delete Host. • Click Delete. • Right-click > menu > Delete Host.
1. On the Host Manager screen, bring up the Edit Host Tag List dialog box, as shown in Figure 6-7 by performing one of the following steps: • Select Edit > Host Tag List. • Press Crtl+T. Figure 6-7 Edit Host Tag List Dialog 2. Add, modify, or delete tags • To add a tag, follow these steps: 1. Click Add to display the Add Host Tag dialog box, as shown in Figure 6-8. Figure 6-8 Add Host Tag Dialog Box 2. 3. Enter a tag name in the input field.
2. 3. Modify the tag name in the Edit Host Tag Entry field. The name can contain any printing characters and it can be of any length. Spaces are significant. Tag names are case-sensitive. Duplicate tags are discarded when you exit. Go on to Step 3. Click OK to accept the change, or Cancel to retain the original. You return to the Edit Host Tag List dialog box where you can perform more add, edit, and delete operations. Go on to Step 2 or exit, go on to Step 3. • To delete a tag, follow these steps: 1.
1. On the Host Manager screen, bring up the Save dialog box, as shown in Figure 6-9 by performing one of the following steps: • Choose the File > Save As menu item. • Press Ctrl+A. Figure 6-9 Save Dialog Box 2. Either click a file name in the list or enter a new name in the file name field. NOTE: You can change directories, but HP recommends that you keep your host files in the default /etc/opt/ids/gui/config directory. 3. Click Save to save the file, or Cancel to exit without saving.
1. On the Host Manager screen, open the Open dialog box as shown in Figure 6-10, by performing one of the following steps: • Choose the File > Open menu item. • Press Ctrl+O. Figure 6-10 Open Dialog Box 2. 3. Select a file name in the list. Click Open to open the file, or Cancel to exit without changing host files. The hosts are displayed on the Host Manager screen. The monitored hosts are also displayed on the System Manager screen.
7 Using the Network Node Screen This chapter describes the Network Node screen, which displays alerts and errors for a specified agent host. It addresses the following topics: • “Network Node Screen” (page 95) • “Alerts Tab” (page 96) • “Errors Tab ” (page 97) • “General Operations” (page 97) Network Node Screen The Network Node screen contains lists of alerts and errors that have been detected by the related agent. Click the Alerts or Errors tab to view the lists and details.
Alerts Tab The Alerts tab shown in Figure 7-1 displays the alerts that were detected by the surveillance schedule on one of the agent host systems. On the Network Node screen, click the Alerts tab. Figure 7-1 Network Node Alerts Tab Each alert entry displays the alert severity, the attacker, the attack type, the date and time the alert was generated, and other data. The columns displayed depend on selections on the Preferences screen, which lists and describes all the column names.
For detailed information on the alerts, see Appendix A (page 111). You can create automated alert response programs that are executed automatically when an alert is generated, and pass the information to an analysis system. For example, HP provides a package that sends alerts to the HP OpenView Operations (OVO) program for evaluation and action. For more information, see Appendix B (page 159).
Sorting Entries By default, alerts and errors are listed in ascending date/time order. However, you can resort the list by any attribute in either ascending or descending order. Follow one of these steps: • • Click the appropriate column header to toggle between ascending and descending order. Select an item from the Sort menu. There is an ascending and descending entry for each defined column. These are effective whether the column is displayed or not.
The search begins after the anchor entry. If an unseen entry is found, it is highlighted and other selections are cleared. If only the current entry is unseen or there are no unseen entries, no action is taken. Searching for a String You can search for an entry in the list on the Alerts or Errors tab based on any string in any column, displayed or not. The search string is not case sensitive. To start a search, follow these steps: 1.
Marking Entries as Seen or Unseen You can mark alert or error entries as seen or unseen, to separate entries you have handled from those still under consideration. Marking an alert as seen or unseen changes the Unseen Alerts column for the host on the System Manager screen. Seen Mark an entry as seen in the following ways: • Click it. See “Selecting with the Mouse” (page 98). • Click in a blank box in the entry’s Seen column. • Click the All Seen button. All entries on current tab are marked as seen.
NOTE: The Network Node screen title bar indicates how you obtained the data on the screen. If it consists of Network Node - hostname, where hostname is the name of the monitored host, the data is got from the master log file for that host and you selected the Network Node screen from the System Manager screen. If it consists of Network Node - pathname, where pathname is the full path name of a file, the data is acquired from a log file set that you selected with the File >Open menu item.
3. Click Save or press Alt+S to save the alert and error log files. In the examples, in Step 2. 1. The files are named myhost1.backup_alert.log and myhost1.backup_error.log. 2. The files justopened_alert.log and justopened_error.log are overwritten. To cancel the save, click Cancel or press Alt+C. Example: Creating a New File Set steps: 1. 2. To create a new file set named myhosttu,follow these In the Save dialog box, enter myhosttu in the File Name field.
HP-UX HIDS agent software is running, the agent software recreates the files and continue to log in the newly created files. For more information, see “Log File Rotation” (page 191).
8 Using the Preferences Screen This chapter describes operational and display settings that you can set on the Preferences screen. This chapter addresses the following topics: • “General Preferences” (page 105) • “Browser Preferences” (page 106) □ “Alert Events Preferences” (page 106) □ “Error Events Preferences” (page 107) □ “System Manager Preferences” (page 108) The Preferences screen enables you to specify several system operational preferences.
Table 8-1 General Preferences Tab Option Default Description Automatic Startup Status Poll On When this option is selected (checked), the System Manager automatically polls all the entries in the monitored list for current status whenever the System Manager is restarted. This is equivalent to selecting Actions >Status Poll from the System Manager screen. You can disable this feature if HP-UX HIDS agents are currently not installed or operational on agent hosts.
Figure 8-2 Alert Events Subtab In Table 8-2, the column names marked with asterisks (*) correspond to fields in the alert message. Table 8-2 Alert Events Subtab Column Name Default Description Seen Yes The entry has been seen. Severity * Yes 1: critical; 2: severe; 3: alert. Attacker * Yes User name or IP address of the attacker. Attack Type * Yes Name of the alert. Date/Time Yes Local date and time. Target Host No Name of host where alert was generated.
The Error Events subtab lists the columns that can be displayed on the Errors tab of the Network Node screen. Check the boxes to display the columns. The column names are shown in Figure 8-3 and described in Table 8-3. Click an option box to select or deselect the option. Figure 8-3 Error Events Subtab Table 8-3 Error Events Subtab Column Name Default Description Seen Yes The entry has been seen. Date/Time Yes Local date and time. Code No Error code number.
Figure 8-4 System Manager Subtab Table 8-4 System Manager Subtab Column Name Default Description Status Yes Status of agent host. Host Yes Name of host being monitored. Schedule Yes Name of activated surveillance schedule; None if none. Tag Yes The tag, if any, associated with the host. Total Alerts Yes Total number of alerts in System Manager log file for host. Unseen Alerts Yes Total number of unseen alerts in System Manager log file for host.
A Templates and Alerts This appendix describes the detection templates that constitute the surveillance groups. It also describes the alerts that are passed to the System Manager and to the response programs by the HIDS agent.
Table A-1 Detection Templates (continued) 112 Alert Attack Alert Severity File system modification or potential modification The following operations were 3 either unsuccessfully or successfully performed on a read-only file: • Modification of the mode or ownership • Modification of the file content • Creation • Opening the file for writing or appending that may (or may not) be followed by an actual file modification.
Table A-1 Detection Templates (continued) Alert Attack World-writable file created A file with world-writable permission was created by a privileged user, the world-writable bit was set on an existing file owned by a privileged user, the owner of a world-writable file was changed to a privileged user from a nonprivileged user, or a world-writable file owned by a privileged user was renamed from a location that is not being monitored to a location that is being monitored.
1 2 Higher severity if specified by the severity template property or the log_severity_def global property. For more information about the severity property, see “Log File Monitoring Template”. For more information about the log_severity_def global property, see “Surveillance Schedule Section” Higher severity if specified by an ip_filter property. For more information about the ip_filter property, see “Login/Logout Template” (page 147).
Limitations This section describes the general limitations of the templates. Template specific limitations are discussed in the respective template sections. Following are some general limitations: • No file monitoring templates can filter alerts based on whether a file is local or remote (NFS). • File monitoring templates, by design, do not detect whether the contents of a file were modified. • File-related templates can generate alerts with file relative path names, instead of file full path names.
NOTE: If a file or directory path name matches a regular expression in both the pathnames_to_watch and pathnames_to_not_watch property, then the file or the directory is not monitored.
NOTE: The pathnames_0/programs_0 pair is a special case in which alerts for files specified in pathnames_0 are not generated when the corresponding programs in programs_0 or in any of the program’s child processes or grandchild processes trigger the alert.
IMPORTANT: Specifying a program’s relative path name to ignore alerts is unsafe, whether the path name refers to a script or an executable program. An attacker can construct an attack script or program with the same relative path name, and alerts for that program are filtered if the relative path name is specified as the value in a path names / program pair.
user_pairs_to_ignore | root, daemon | 0, bin | root, 3 | 0, 4 In this example, an alert is not triggered if any of the following conditions are met: - If the file owner’s name is root and the effective user ID of the modifying process corresponds to the user name daemon. - If the file owner’s user ID is 0 and the effective user ID of the modifying process corresponds to the user name bin.
values of 23 seconds, 10 minutes, 1 hour and 23 seconds; the s component in the last line is redundant, but can be used for clarity. fail_interval | 23 warning_interval | 10m fail_interval | 1h warning_interval | 23s NOTE: You cannot specify the time unit value in the Schedule Manager screen. Type VII: Flags The Type VII property value is an integer used to enable or disable a flag. A value of 1 means enabled, and a value of 0 means disabled.
Type XI: String The Type XI property value is a literal string. Unlike the Type I property, the Type XI property is not interpreted as a regular expression and only specifies one literal string. The logfile template property of the Log File Monitoring template is a Type XI property that specifies the pathname of a logfile. For example, the following specifies that the syslog.log file should be monitored: logfile | /var/adm/syslog/syslog.
NOTE: In HP-UX 11i v2 and later, comprehensive stack buffer overflow protection, which uses a combination of highly efficient software and existing memory management hardware, protects against both known and unknown buffer overflow attacks without sacrificing system performance. This protection is managed with the executable_stack tunable kernel parameter. You can allow selected programs to execute from the stack by marking them with the -es option of the chatr command.
Table A-3 Execute on Stack Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format argv[1] Template code Integer 0 Unique code assigned to the template argv[2] Version Integer Version of the template argv[3] Severity Integer 1 Alert severity argv[4] UTC Time Integer UTC time in number of seconds since epoch when execute-on-stack was detected argv[5] Attacker String The user ID, group ID, process ID, and parent process ID of the proce
Table A-4 Unusual Argument Length Alert Properties (continued) Response Program Argument Alert Field Alert Field Alert Value/Format Type argv[5] Attacker String uid=, gid=, pid=, The user ID, group ID, ppid= process ID, and parent process ID of the process that executed a privileged setuid program with an unusually long argument length argv[6] Target of Attack String file=, type=, mode=, uid=, gid=, inode=, device= Descripti
Table A-5 Argument with Nonprintable Character Alert Properties (continued) Response Program Alert Field Argument Alert Field Type Alert Value/Format Description argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that executed a privileged setuid program with an argument that contains a nonprintable character argv[6] Target of attack String file=, type=, mode=, uid=, gid=
a symbolic link, where the symbolic link is constantly being changed from pointing to the privileged script to pointing to the attacker’s own attack script. Starting with HP-UX 11i v1.6, a kernel tunable parameter called secure_sid_scripts (5) was introduced with a default value that indicates that the setuid and setgid bits on scripts are ignored by the kernel.
pathnames_X, programs_X You can use these properties to filter out race condition alerts generated when a specified program modifies the file reference of a privileged program for a particular file. See “Type II: Path Names/Programs Pairs” (page 116) for a detailed description of these property pairs.
NOTE: See Table B-1 (page 161) and Table B-5 (page 163) Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. Privileged setuid Script Executed This template generates and forwards alerts to a response program when a privileged setuid script is executed (either directly or through a symbolic link) and the kernel has honored the setuid bit.
NOTE: See Table B-1 (page 161) and Table B-5 (page 163) in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. Limitations The Race Condition template can be CPU intensive because it monitors all file references on the system.
Table A-9 File/Directories Template Properties Name Type Default Value pathnames_to_watch I ^/ .rhosts$ | ^/\.shosts$ | ^/\.profile$ | ^/bin/ | ^/sbin/ | ^/usr/bin/ | ^/usr/sbin/ | ^/usr/local/bin/ | ^/lib/ |^/usr/lib/ | ^/usr/local/lib/ | ^/stand/build/dlkm\.vmunix_test/ | ^/stand/vmunix$ | ^/stand/kernrel$ | ^/stand/bootconf$ | ^/stand/system$ | ^/dev/dsk/ | ^/dev/rdsk/ | ^/dev/rmt/ | ^/dev/rsdsi/ | ^/dev/vg[0-9]*/ | ^/dev/idds$ | ^/usr/dt/config/Xconfig$ | ^/tcb/files/devassign$ | ^/etc/rc\.config\.
File Being Modified Table A-10 lists the alert properties this template generates and forwards to a response program when a file is modified.
Table A-10 File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description • • • • created the file created the character special file created the directory created the block special file created the pipe (fifo) file • deleted the file • deleted the directory • performed system call on the file argv[9] Event String Following are the possible values: • File ownership modified • File permission modified • File opened for
Table A-11 Failed Attempt to Modify Read-Only File Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device=) when executing (type=, inode=, device=), invoked as follows: ...
Table A-11 Failed Attempt to Modify Read-Only File Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description Following are the possible values: • Failed attempt to change the owner • Failed attempt to change the permissions of • Failed attempt to open for modification/truncation • Failed attempt to open for modification • Failed attempt to rename the file • Failed attempt to overwrite an existing file • Failed attempt to truncate the file • Faile
monitors a user-specified set of regular files for successful attempts to open a file with write or truncate permission, to delete the file, to rename the file, or to truncate the file. This template does not monitor changes in file ownership or permissions. The template also does not monitor for the creation of a new file. Finally, this template does not determine that a file’s contents were changed, only that a change might have been made.
Table A-13 Append-Only File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that modified the file argv[6] Target of attack String file=, type=, mode=, uid=, gid=, inode=, device= The full path name of the file that was modi
Table A-14 Failed Attempt to Modify Append-Only File Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device) when executing (type=,inode= ,device=), invoked as follows: ...
NOTE: See Table B-1 (page 161) for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without having to parse the string alert fields above. Limitations The Changes to Log File template has the following limitation: • The template cannot distinguish whether a file is created or truncated when creat(2) is invoked.
setuid/setgid template will not detect the creation of a setuid file owned by one of those users. priv_group_list A list of system-level group IDs or group names. This list contains those groups who have elevated access to the system. Removing any of these groups from this list means that the setuid/setgid template will not detect the creation of a setgid file owned by one of those groups.
Table A-16 Setuid File Created / Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid Detailed alert description the file >(type=, inode=, device (type=, inode=, device=), invoked as follows: ...
Creation of World-Writable File Template The vulnerability addressed by this template Any user on a system can modify a world-writable file. Many of the files owned by the system users (such as root, bin, sys, adm) are used to control the configuration and operation of the system. Allowing regular users to modify these files exposes the system to attacks. A world-writable directory containing system files enables an attacker to replace these files.
Properties The configurable properties are listed as follows: A list of system-level user IDs or user names. priv_user_list This list contains users that have elevated access to the system. Removing any of these users means that this template does not detect the creation of a world-writable file owned by that users. pathnames_to_not_watch pathnames_X, programs_X Path names of files that can be safely ignored if they are made world writable.
Table A-18 World-Writable File Created Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid the file > (type=, inode=, device> (type=, inode=, device=), invoked as follows: ...
• an alert that a world-writable file is created even though the file already exists, and is opened with the create flag set. The template cannot always distinguish whether a world-writable file is created, or whether an existing world-writable file is truncated. The template can generate an alert that a file is created, instead of generating an alert that a world-writable file is truncated.
Properties Configure the following properties based on the individual machine configuration and usage. Path names of files that can be safely ignored if they are pathnames_to_not_watch modified by non-owners. Users running with an effective uid that equals to one of the users_to_ignore listed user IDs or corresponds to one of the listed user names can modify files they do not own without generating an alert. It is recommended that this property is left blank unless specifically needed.
Table A-20 Non-Owned File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[7] Summary String Non-owned file being modified Alert summary argv[8] Details String User with uid (type=, inode=, device (type=, inode=, device=), invoked as follows: ...
Table A-21 Failed Attempt to Modify Non-Owned File Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device (type=, inode=, device=), invoked as follows: ...
How this template addresses the vulnerability The Login/Logout template monitors the start and end of interactive user sessions.
ip_filters priv_user_list Contains a list of triplets {ip_address, mask,severity}.Filters login alerts and determines the alert’s severity based on which remote host or network the login was made from. If a login’s remote host IP address matches one of the triplet’s IP addresses qualified by the triplet’s network mask, then the alert severity is set to the corresponding triplet’s severity.
Table A-23 Login/Logout Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User logged-in on (REMOTE: )orUser logged-out from a session on Detailed alert description argv[9] Event String Following are the possible values: • Login • Logout The event that triggered the alert.
Table A-24 Successful su Detected Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User switched to Detailed alert user on tty description argv[9] Event String Switch-user (su) The event that triggered the alert.
How this template is configured Table A-25 lists the configurable properties that this template supports. Table A-25 Failed Logins Template Properties Name Type Default Value max_failed_login VIII 2 fail_interval VI 10 seconds warning_interval VI 30 seconds priv_user_list III root ids Properties The configurable properties are listed as follows: The number of failed attempts to log in as the same user.
Table A-26 Failed Login Attempts Alert Properties (continued) Response Program Alert Field Argument Alert Field Type Alert Value/Format Description argv[5] Attacker String Name or IP address of the host from which the user logged in or out. argv[6] Target String Name of the user who logged in or out.
How this template is configured Table A-27 lists the configurable properties that this template supports. Table A-27 Repeated Failed su Commands Template Properties Name Type Default Value Description max_failed_su VIII 2 The number of failed su attempts that are exceeded by a user to use the su command. fail_interval VI 1440 minutes The time interval over which the failed su attempts must occur to generate an alert.
Table A-28 Repeated Failed Su Attempts Alert Properties (continued) Response Program Argument Alert Field Alert Field Alert Value/Format Type Description argv[10] Flag Integer 2 Indicates a failed su alert versus a failed login alert argv[11] Device String The tty from which a failed su attempt was made argv[12] From String The name of the user attempting to su argv[13] To String The target user of the last failed su attempt Limitations The Repeated Failed
characters escaped because the string pattern within double quotes is only parsed by the regular expression parser and not by the template parser, unlike Type I properties that are parsed both by the template parser and the regular expression parser. However, to include double quotes (") as part of a pattern, the double quotes must be escaped with a backslash (\) character.
Table A-30 Log File Monitoring Alert Properties (continued) Response Program Argument Alert Field Alert Field Alert Value/Format Type Description argv[6] String argv[7] Summary String Message logged argv[8] Details String “” was logged to Contains message logged and name of log file.
B Automated Response for Alerts This appendix describes how to use response programs to process alerts automatically according to your installation policy. It includes a sample C program, several sample response scripts, and information about a prepackaged response program that communicates with HP OpenView VantagePoint Operations.
How Automated Response Works in HP-UX HIDS This section discusses how the response programs handle the agent alerts. Alert Process When the agent generates an alert, the following actions occur: 1. The agent stores the alert in a local log file with a path name defined by the IDS_ALERTFILE configuration variable. The default is /var/opt/ids/alert.log. For information, see “The Agent Configuration File” (page 191). 2.
3. 4. 5. If you must transmit alert information to another system, set up your own secure communication process. If a response program has its setuid or setgid bit set, it runs as that effective user or group. It is a good practice to restrict setuid and setgid programs to the absolute minimum necessary. For more information, see “Writing Privileged Response Programs” (page 167).
Table B-1 Additional Arguments Passed to Response Programs for Kernel Template Alerts (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[26] Attack Program Integer Mode (decimal) Mode of the attack program argv[27] Attack Program Integer Owner Owner of the attack program (uid) argv[28] Attack Program Integer Group Group of the attack program (gid) argv[29] Attack Program Integer Inode Inode number of the attack
Table B-3 Additional Arguments Passed to Response Programs for File Modification Failed Attempt Alerts Response Program Argument Alert Field Alert Field Type Alert Value/ Format Description argv[36] Error Number Integer Number representing the error. argv[37] System Call Return Value Integer Return value of the system call.
Table B-5 Additional Arguments Passed to Response Programs for Race Condition Template Alerts (continued) Response Program Argument Alert Field Alert Data Type Alert Value/Format Description argv[43] Attacked Program Number of Arguments Integer argv[44] Attacked Program Arguments Integer Program arguments of the program ....
Table B-8 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv [10] The number of alerts Integer in the aggregated alert The number of template alerts aggregated as part of the aggregated alert. argv [11] Attacker process id Integer Process ID (pid) of the attacker.
Table B-8 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv [27] Full hostname of remote host String Full hostname of the remote host from which attacker logged in. Set to localhost if the local host or the empty string is not known.
Perl References Use the following references to help write Perl scripts for HP-UX HIDS: • perlsec( 1) in /opt/perl/man. • http://www.perldoc.com/perl5.6/pod/perlsec.html the web version of the manpage • http://security-archive.merton.ox.ac.uk/bugtraq-200002/0114.html, an email archive thread Writing Privileged Response Programs This section describes how to write privileged and unprivileged C response programs.
NOTE: The pathnames below are suggested places to store files. However, they are not delivered as part of HP-UX HIDS, because of the program's security policy implications. Solution A /opt/ids/response/ scriptA.sh /opt/ids/response/misc /opt/ids/response/misc/ privA A non-setuid script with mode 500 and owned by ids:ids A directory with mode 500, owned by ids:ids. A setuid-root program with mode 4550, owned by root:ids Code for scriptA.
exit(0); } } Solution B /opt/ids/response/privB A setuid-root program with mode 4550, owned by root:ids Code for privB program #include #include #include
{ perror(“kill”); exit(1); } fprintf(stderr,”Killed offending process %d n”,pid); /* Turn off root privilege */ if( setresuid(-1, getuid(), geteuid()) == -1) { perror(“setresuid”); exit(1); } } } exit(0); } Solution C /opt/ids/response/privC /opt/ids/response/misc /opt/ids/response/misc/ scriptC.
echo “Critical intrusion: halting process ${pid} running ${24} that modified /etc/passwd” /usr/bin/mailx -s “$7” ${RECIPIENT} kill -KILL ${pid} fi fi # Exit with no error exit 0 Sample Response Programs The following sections contain examples of C and shell script response programs. Sample C Language Program Source Code This is a sample C language source code for a response program. It is available in /opt/ids/ share/examples/ids_alertResponse.c.
Forwarding Information The response script program can either send the alerts to the user through an email or store the alerts in a log file. Sending an Email HP-UX HIDS logs alerts to a file on the local system and sends the alert information to the HP-UX HIDS System Manager.
Halting Further Attacks The response script program can stop subsequent attacks on a system either by disabling a user’s account or by disabling the remote network connection. Disabling a user's account If a particular user account is generating many alerts, it may be necessary to disable further logins on that account. The following script shows how to achieve that. IMPORTANT: This script requires privilege and must not be installed as a setuid privileged script.
Disable Remote Networking If you have determined that an intrusion is originating from a remote location, the following script disables networking on the system. IMPORTANT: This script requires privileges and must not be installed as a setuid privileged script. This script is for illustration purposes only. For instructions on safely writing a privileged response program, see “Writing Privileged Response Programs” (page 167).
Preserving Evidence Consult your local legal counsel to determine what steps must be taken to preserve evidence for use in court. The example scripts presented below do not meet the legal requirements for preservation of evidence. Putting a Process to Sleep You can preserve evidence of an intrusion for later analysis. In this example, a process that caused an alert is stopped. Any activity by the process is halted, and the process memory image can be analyzed at a later time.
Snapshot of Critical System State Extending the previous example, this script takes a snapshot of critical system state information that can be used for later analysis.
System Restoration to a Stable state Intruders often replace key system configuration files during an attack. This sample script shows how to replace those files with clean versions that are mounted on a CD-ROM drive. Assume that the CDROM is mounted on /cdrom. IMPORTANT: This script requires privilege and must not be installed as a setuid privileged script. This script is for illustration purposes only.
The OVO HPUX_HIDS-SPI has been certified by HP for OVO V5.x as well as V6.x, and is known to work with OVO V7.1. A future HPUX_HIDS-SPI release is being planned for certification with OVO V8. HP Reference For more information, see HP OpenView Operations SMART Plug-In for HP-UX Host IDS Administrators and Users Guide available at: http://www.managementsoftware.hp.com/products/spi/spi_ids/spi_ids_guide_22.
C Tuning Schedules and Generating Alert Reports This appendix describes how to tune schedules and generate alert reports using the idsadmin command. This appendix addresses the following topics: • “Tuning Schedules Using the idsadmin Command.” • “Generating Alert Reports Using the idsadmin Command.” Tuning Schedules Using the idsadmin Command The tune command enables you to tune schedules and reduce the number of false positives (alerts that are generated because of normal system activity).
updates the schedule and deploys it over the two agents. The administrator can choose to intervene in this process; however, it is not required. Schedule Tuning Process The process by which a schedule is tuned can be broken down into the following steps: • “Step 1: Analyzing Alerts and Tuning Schedules.
The syntax for the tune command when invoked from the idsadmin command line is as follows: idsadmin [-v[vvv]] -t [OPTIONS] The tune command can also be invoked from the interactive command-line interface as follows: idsadmin> tune [-v[vvv]] -t [OPTIONS] Table C-1 describes the various tuning options that you can use with the tune command. Table C-1 The tune Command Options Option Description -a, --agent-hosts A comma separated list of agents (host names) to tune.
— • • • • • • • • • • “X” for exact match. This means that the filter is a regular expression that matches one and only one file pathname. — “R” for regular expression match. This means that regular expression wildcard characters are used to match one or more file pathnames. — “” (empty string) for no filter. This mean that no filter will be generated for this alert. is the absolute name of the file under attack. is the action (event) for which the alert was generated.
NOTE: No filters are generated for system alerts, and they cannot be filtered using the idsadmin tune command. NOTE: Duplicate failed login and su attempts can be suppressed using the max_failed_[login,su], warning_interval, and fail_interval template properties. Using the tune Command The following examples show different ways of using the tune command to tune your schedules: Example C-1 To tune schedules for two agents without any user interaction % idsadmin –t –a abc.hp.com, xyz.hp.
NOTE: Alert filters are generated only for file related alerts. The following fields in the entries in the file related alerts section of the Tune Command Report can be modified: • • • The following examples show sections of a Tune Command Report, where the Tune command has suggested a filter for the alert.
• • • • • • • • • Generate reports for one or more agents View alert statistics by agent, severity, alert type, and detection template Generate a consolidated report across multiple agents Generate incremental reports (i.e.
Table C-2 Reporting Options Supported by idsadmin (continued) Option Description --alert-fields Comma-separated list of alert fields to print in a report, where: • hostname — The hostname of the agent that generated the alert. • ipaddr — The host IP address of the agent that generated the alert. • template — The template that generated the alert. • localdate — The local date and time of the event that triggered the alert. • utcdate — The UTC date and time of the event that triggered the alert.
Table C-2 Reporting Options Supported by idsadmin (continued) Option Description --report-output stdout | PATHNAME Specifies a file PATHNAME to override the default location where an alert report is stored or to specify that the alert report must be printed to stdout in addition to being stored in the default location. If PATHNAME is set to /dev/null, then the --email-to option must be specified and the alert report will not be stored persistently in a file.
Example C-6 To generate a report for all the managed agents starting from a particular date /opt/ids/bin/idsadmin –r --start-date 20070101 This command generates a report for all the managed alerts starting from January 01 2007. This report is saved as an HTML file in /var/opt/ids/reports/ HIDS_Report.html. Figure C-2 shows a screenshot of the report in HTML format. Figure C-2 Screenshot of the Generated Report in .html Format NOTE: While generating alert reports in .
Example C-7 To generate a report for an agent showing only the date and time (local), severity, attacker, target, and to email the report in text format to a specified email address /opt/ids/bin/idsadmin –r –a ariel --alert-fields localdate, severity,attacker,target --report-format text -–email-to admin@xyz.
Example C-10 5. To generate a report for all agents listing only alerts related to failed logins, logouts, and failed su attempts. The report is emailed to the specified email address with a customized message and subject line. /opt/ids/bin/idsadmin –r --alert-events flogin, logout, fsu --email-to admin@xyz.com --email-message “HIDS Alert Report Generated” --email-subject “Report Dated Mar 23 2007” Example C-11 To generate a report for all agents listed in the sentinal.
D The Agent Configuration File This appendix describes the user-configurable options that can be modified in the HP-UX HIDS agent configuration file, which is located in /etc/opt/ids/ids.cf.
Global Configuration The Global section is bracketed by the [global]...[END] keywords. Only the parameters in Table D-1 may be edited. CAUTION: Do not edit any other variables between [global] and its [END] tag. Table D-1 Global Configuration Variables Name Default Value IDS_ALERTFILE /var/opt/ids/alert.log IDS_ERRORFILE /var/opt/ids/error.
Correlator Process Configuration The correlator section is bracketed by the [Correlator] ... [END] keywords. Only the parameters in Table E-2 may be edited. Table D-2 Correlator Configuration Variables Name Default Value CMDLINEARGS ““ AGGREGATION “not set” CMDLINEARGS Used to pass command line options to the idscor process.
Data Source Process Configuration There is a configuration entry for each data source process. Each entry is surrounded by [DSP] and [END] tags. The first entry, for the system log DSP which monitors various system log files, has no modifiable parameters. The second entry is for the kernel audit data DSP. CAUTION: Do not edit any variables in the system log DSP section (between [DSP] NAME idskernDSP and its [END] tag).
Turn off status gathering and block processes if audit data is generated faster than the agent can consume it. This option sacrifices system performance for totally reliable information gathering. Gather status information on numbers of IDDS_MODE 2 audit records read or written but still block the kernel. Do not drop audit records in the kernel but a read of /dev/idds will return immediately if no data is available.
IDS_CONNECT_TIMEOUT IDS_READ_TIMEOUT IDS_WRITE_TIMEOUT IDS_SSL_TIMEOUT REMOTEHOST 196 The Agent Configuration File The timeout value in seconds for the agent to complete a network connection with the administration system. The timeout value in seconds for the agent to complete a network read operation from the administration system. The timeout value in seconds for the agent to complete a network write operation to the administration system.
E The Surveillance Schedule Text File This appendix describes the surveillance schedule in text format to enable administrators to edit surveillance schedules using their preferred editor, instead of using the GUI Schedule Manager, for those administrators who want to automate the activation of surveillance schedules (using scripts) instead of using the GUI System Manager.
NOTE: All schedule files must be located in /etc/opt/ids/schedules. Surveillance Schedule Text File The surveillance schedule text file has two main sections: • Surveillance Schedule Section: A section that defines global properties of a schedule that are not specific to any Surveillance Group or Template. There can only be one Surveillance Schedule section in a surveillance schedule text file.
• • • • • • using the syntax described in “Type IX: Path Names / Integer Pairs” (page 120) and each tuple is equivalent to a row in the Schedule Manager Alert Aggregation table described in “Configuring Alert Aggregation” (page 72). suppression: The suppression property is a duplicate alert suppression property that is used to enable or disable duplicate alert suppression.
Monitor Failed Attempts To Create / Modify / Delete Critical Files option box that is not selected. By default, the property value is set to “0”. • log_severity_def: This property defines the default severity level for alerts that are generated by the Log File Monitoring Template. For more information, see “Log File Monitoring Template” (page 155). The property value is specified using the syntax described in “Type VIII: Scalars” (page 120). By default, the property value is set to “3”.
Example E-1 A Sample Surveillance Schedule Text File Following sample surveillance schedule text file illustrates the usage of different keywords in a schedule : SCHEDULE TestSched GLOBALS aggregation | 1 rt_alerts | 0 aggr_tuples | ^/usr/lbin/swagent$ , 28800 suppression | 1 suppression_report | 1 suppression_interval | 6h suppression_count | 100 suppression_targets_to_ignore | ^/etc/passwd$ | ^/etc/group$ | ^/stand/vmunix$ | ^/stand/system$ | ^/\.rhosts$ | ^/etc/inetd\.
F Error Messages This appendix describes errors and messages that may be produced by the Agent and System Manager programs. This appendix addresses the following topics: • “Agent Messages” (page 203) • “System Manager Messages” (page 207) Agent Messages This section describes error messages that are displayed on agent systems. NOTE: These messages are produced by agent processes. If you see a message that is not described and you cannot resolve the problem, contact HP support.
Table F-1 Agent Error Messages (continued) Error Message Meaning Action idsagent: failed to reopen stderr in An internal error occurred while Contact HP support. append mode attempting to reopen error reporting. The per-process limit on file descriptors may have been reached. idsagent: failed to start group The idsagent encountered an error while Contact HP support. attempting to activate a surveillance group.
Table F-1 Agent Error Messages (continued) Error Message Meaning idsagent: could not get latest stat info on log file file If a log file created by idsagent has been Verify that the log file is owned by user:group ids:ids; that the ids changed, then idsagent attempts to user has read and write permissions reopen it. The open attempt failed. on the file; and that its parent directory has read and write permissions.
Table F-1 Agent Error Messages (continued) Error Message Meaning Action idsagent internal error occurred in An internal error occurred. PM_StopGroup Contact HP support. idsagent: logfile file was changed If a log file created by idsagent was and cannot be reopened changed, then idsagent attempts to reopen it. The open attempt failed.
Table F-1 Agent Error Messages (continued) Error Message Meaning Action idssysdsp: NOTE: inode of file File filename, which is being monitored If the file should not have changed, filename was changed (ok if log by the idssysdsp process, has been moved. treat it as a potential intrusion. rotation expected on this file) This is acceptable if the file has just undergone expected log file rotation.
Table F-2 System Manager Error Messages (continued) Error Message Meaning Action In order to activate a Surveillance The host was in an invalid state for the Schedule, selected hosts must have a selected action. status of Ready, Scheduled, or Running. Before activating a surveillance schedule, ensure that the selected hosts are in ready, scheduled, or running state. In order to delete host list entries, the scheduled or running surveillance schedule must first be manually stopped.
Table F-2 System Manager Error Messages (continued) Error Message Meaning Action Select node(s) to resync. A resync of nodes was requested without Select a node before attempting to selecting a node. resynchronize with agent associated with the node. Select node(s) to Stop Schedule. Only schedules associated with a node can be stopped. No node was selected. Select a Surveillance Schedule to Activate. A schedule must be selected before it can Select a surveillance schedule be activated.
Table F-2 System Manager Error Messages (continued) Error Message Meaning Action Either select a specific IP address or 0.0.0.0. If you select a specific IP address, it must correspond to the network interface for the network connecting the administration and agent systems. If 0.0.0.0 is selected, the administration system can be connected to agent systems that are reachable on any of the administration’s network interfaces. This host (hostname) has multiple network addresses.
G Troubleshooting This appendix describes various steps you can take in resolving problems on the agent and administrative systems.
Agent and System Manager cannot communicate with each other (No errors are being generated by the HP-UX HIDS processes and everything seems to be running fine otherwise.) See also “No Agent Available” (page 218). □ Make sure the check sums on the following two files are identical: On the Administration system, run: /usr/bin/cksum /etc/opt/ids/certs/admin/cacert.pem On the Agent system, run: /usr/bin/cksum /etc/opt/ids/certs/agent/cacert.
□ FAIL means one of the following has occurred: – The communications certificates were generated for the agent system but have been deleted or moved. Generate the certificates as described in “Setting Up HP-UX HIDS Secure Communications” (page 29). – An error occurred when the idsagent daemon was started. Check error.log. – The /etc/rc.config.d/ids defaults file is missing. – The /opt/ids/bin/idsagent program is missing or not executable. See “Agent does not start after installation” (page 214).
Agent halts abnormally, leaving ids_* files and message queues □ If a running agent was not halted as described in “Halting HP-UX HIDS Agents” (page 54) (for example, the agent was stopped with kill -9), then you need to clean up the message queues, which the agent uses for interprocess communication (IPC). This is important because the kernel has a limited number of message queues that IDS and other applications need in order to run.
□ □ Verify that all keys have been generated as described in “Setting Up HP-UX HIDS Secure Communications” (page 29). Run /opt/ids/bin/IDS_checkInstall to verify that all required patches have been installed properly prior to installing IDS. IDS_checkInstall should be run on an OS where IDS is installed. If patches are missing, uninstall IDS (swremove), install the patches (see the HP-UX HIDS Release 4.1 Release Notes ), and reinstall IDS (swinstall).
□ □ Is the communication to the agent timing out?. Check the agent’s /var/opt/ids/ error.log for timeout messages. If timeout messages appear, try increasing the timeout values in the agent’s /etc/opt/ids/ids.cf configuration file; see “Remote Communication Configuration” (page 195). If /var/opt/ids/error.log contains out-of-memory errors, the maximum data segment size may need to be increased or more swap space might need to be added.
The idsadmin Command notifies of bad certificate when pinging a remote agent Idsamin may notify of bad certificates if the certificate created on the admin host for the agent is not yet valid on the agent host due to the system time difference between the admin host and the remote agent host. For example: ./idsadmin -a hostname -i 1.2.3.
In either case, you can try running the command again. The solution is to apply the latest Software Distributor (SD) Cumulative Patch. For 11i and 11i version 1.6, install PHCO_25887 or a superseding patch, if any. Large files in /var/opt/ids □ □ The communication between idskerndsp and idscor uses a memory-mapped file, which normally only exists (in the /var/opt/ids directory) when a surveillance schedule is running.
□ □ detection templates (most offer mechanisms by which these spurious alerts can be suppressed). For example, a system with the Resource Management subsystem might trigger a heavy volume of alerts since it frequently updates some files in /etc/opt/resmon. You can go to the Schedule Manager and modify the “Modification of files/directories” template to have it ignore the /etc/opt/resmon directory. (This filtering is provided by default in HP-UX HIDS version 2.2.) See “Suggested Best Practices” (page 69).
System Manager starts with no borders or title bar in X client programs on Windows □ This sometimes happens when Reflection X (or other X client programs on Microsoft Windows) has been running for a while. Quit, restart the program, relogin to your HP-UX HIDS administration system, and restart the System Manager. If the problem persists, contact HP support.
pass in quick proto tcp from any to any port = hpidsadmin keep state 3. HP-UX HIDS System Manager uses ephemeral ports to send requests to agent host’s port hpidsagent. Also, HP-UX HIDS agents use ephemeral ports to send responses to the System Manager host’s port hpidsadmin. To allow communications back to these ephemeral ports, use the “keep state” rule in IPFilter. pass out quick proto tcp all keep state 4.
xsvr3: xsvr3: xsvr3: xsvr3: xsvr3: xsvr3: xsvr3: Channel 0 Channel 0 Channel 0 Channel 0 X problem Channel 0 Channel 0 closes outgoing data stream. sends oclosed. sends ieof. receives input eof. fix: close the other direction. receives output closed. terminates. Cause: This is a simplified explanation. When you log in to a remote host, and you try to run an X client program on the X server (that is, on your local host), the client needs to authenticate itself with the X server.
NOTE: The GUI might run with some limitations with Java 1.4.x. Numerous warnings or errors in /var/opt/ids/gui/logs/Trace.log and /var/opt/ids/gui/guiError.log may result in very large files that can a consume considerable amount of disk space.
H HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS * OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE.
*(application code) you must include an * acknowledgement: * "This product includes software written by Tim * Hudson (tjh@cryptsoft.com)" * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS * '' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED.
Termination HP may terminate your license upon notice for failure to comply with any of these License Terms. Upon termination, you must immediately destroy the Software, together with all copies, adaptations and merged portions in any form. Export Requirements You may not export or re-export the Software or any copy or adaptation in violation of any applicable laws or regulations. U.S.
