HP-UX Host Intrusion Detection System Version 4.2 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

HP-UX Host Intrusion Detection System

Version 4.2 Release Notes

HP-UX 11i v2 and HP-UX 11i v3

HP Part Number: 5992-5844

Published: December 2008

Summary of content (34 pages)

PAGE 1
HP-UX Host Intrusion Detection System Version 4.
PAGE 2
Legal Notices Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Table of Contents 1 Announcement................................................................................................................7 What is HP-UX HIDS..............................................................................................................................7 Compatibility with Previous Versions....................................................................................................7 Compatibility with Other Products.................................................
PAGE 4
Workaround..........................................................................................................................16 Defect Fixes and Enhancements in HIDS Version 4.2.....................................................................16 2 Installation.....................................................................................................................19 Introduction.............................................................................................................
PAGE 5
List of Tables 1-1 2-1 2-2 2-3 2-4 2-5 HP-UX HIDS Product Compatibility..............................................................................................7 Filesets of HIDS.............................................................................................................................19 Software to Install..........................................................................................................................19 Software Depots.........................................
PAGE 6
List of Examples 1-1 1-2 6 Invalid Modification - Scenario 1..................................................................................................12 Invalid Modification - Scenario 2..................................................................................................
PAGE 7
1 Announcement The HP-UX Host Intrusion Detection System Version 4.2 Release Notes describes major new features, enhancements, fixes, limitations, and known issues for Host Intrusion Detection System (HIDS) Version 4.2. What is HP-UX HIDS HP-UX HIDS is a host-based HP-UX security product for HP computers running HP-UX 11i. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts.
PAGE 8
Table 1-1 HP-UX HIDS Product Compatibility (continued) Product Supported? HP-UX 11i v1.6 No HP-UX 11i v1.5 No HP-UX 11i v1 No HP-UX 11.0 No NIS, NIS+ Yes OpenView Yes ServiceGuard Not tested Third-party Event Monitoring Service (EMS) Not tested Trusted Mode operation Yes Virtual Vault No Localization The HP-UX HIDS software and documentation are not localized in non-English languages.
PAGE 9
• security products cannot identify, thereby strengthening the integrity of the host system as the last line of defense. Provides immediate notification when a suspicious activity is detected, and supports real-time response. Documentation The HP-UX HIDS documentation includes manuals, manpages, information on the HP OpenView SMART Plug-In, an IDS Mailing List, and the ITRC Security Forum.
PAGE 10
IDS Mailing List To receive the latest news about HP-UX HIDS, send an email message to majordomo@hpuxmail.cup.hp.com. Include only the following line in the body of the message: subscribe ids9000-news NOTE: The term ids9000 refers to the previous name of the product. This address is for subscription requests only. Do not send product questions or other inquiries.
PAGE 11
• • IPv6 support that allows HIDS to function in a pure IPv6 network as well as a mixed IPv6/IPv4 network. Numeric user name support for specifying user name template property values. Known Problems, Limitations, and Fixes For a current and complete list of HP-UX HIDS problems and their fixes, refer to the Technical Knowledge Database on the HP IT Resource Center Websites: • • http://us-support.external.hp.com for Americas/Asia-Pacific customers http://europe-support.external.hp.
PAGE 12
displays an error dialog stating that it was unable to parse the schedule and the schedule will not appear in the System Manager and Schedule Manager windows.
PAGE 13
The idsadmin Command Does not Parse Schedules Whose Property Lines Exceed 65535 Characters If a schedule has a property line exceeding 65535 characters, idsadmin or idsagent does not parse the schedule but logs an error message. In older versions of HIDS, running these commands on schedules with property lines exceeding 65535 characters can cause HIDS to dump core.
PAGE 14
Unexpected Behavior by idsagent when report, resync, or tune Command is Executed If the /var/opt/ids/gui/logs/{agent}_alert.log file is corrupted, the report, resync, or tune commands may behave unexpectedly. SSH does not Perform a Clean Exit after idsagent is Started After starting idsagent from an ssh login, logging out of the agent system results in the ssh session hanging indefinitely. As a workaround, log in by entering: ssh -l root /usr/dt/bin/dtterm Then type in the /sbin/init.
PAGE 15
Error Log File Rotation When you rotate an agent’s error log file (default location is /var/opt/ids/error.log), the idsagent process must be restarted by sending it a HUP signal in order for all new errors to appear in a newly created error log file. Activations of Surveillance Schedules fail on systems installed with only HIDS v4.2 agent software When only the HIDS v4.
PAGE 16
The next time the GUI is launched, only the first group period will be loaded and scheduled to run. Workaround 1. 2. Instead of using the GUI, use your preferred editor to modify the Surveillance Schedule in the /etc/opt/ids/schedules/.txt file, and use the idsadmin command instead of the GUI to manage agents. Using the GUI, create an identical Surveillance Group for each time period.
PAGE 17
/var/adm/wtmp appears to be corrupted — The following alert is no longer generated when user ids runs the idsgui command or the swlist command: User with uid 0 opened for modification/truncation /opt/ids/home/.sw/sessions/swlist.
PAGE 18
PAGE 19
2 Installation This chapter provides information about HIDS installation. IMPORTANT: Read this entire chapter before installing or updating to HIDS version 4.1. Introduction Version 4.2 of HIDS is available from the following sources: • • As a depot directory on an Application Release CD for 11i and on OEUR for HP-UX 11i v2 (from March 2006 onwards). As a depot file you download from the HP Software Depot Website for HP-UX 11i, beginning from January 2006.
PAGE 20
In addition to these Release Notes, you will need the Host Intrusion Detection System Administrator’s Guide Software Release 4.2, for information on configuration and initial startup. 1. 2. 3. 4. 5. 6. 7. Ensure that your administration and agent systems meet the requirements as described in “Hardware and Software Requirements” (page 20). If you want to migrate your existing schedules to HIDS 4.2, complete the steps listed in “Migrating Schedules from Older Versions of HIDS” (page 21).
PAGE 21
Migrating Schedules from Older Versions of HIDS To use your older schedules with HIDS v4.2, you must migrate them to HIDS v4.2. Schedules from HIDS v3.1 and v4.0 must be migrated to HIDS v4.2. HIDS v4.1 schedules do not need to be migrated. NOTE: If you are migrating schedules from version 3.1 of HIDS, you must first migrate to HIDS v4.0 and use guiSchedConvert to convert them to HIDS v4.0 schedule files before migrating them to HIDS v4.2 schedules. Complete the following process to migrate HIDS v4.
PAGE 22
Table 2-3 Software Depots Depot Contents • • For an HP-UX 11i system supporting the HIDS administration • and agent software • 11i Admin+Agent Depot /var/depot/ ids_11i_admin+agent • • • • Required system patches Required Java patches J2SE 5.0 IDS.IDS-ADM-RUN and IDS.IDS-ADM-SHLIB subproduct IDS.IDS-AGT-RUN subproduct IDS.IDS-ENG-A-MAN subproduct IDS-KRN subproduct OpenSSL product • Required Java patches /var/depot/ids_11i_admin For an HP-UX 11i system supporting the HIDS administration • J2SE 5.
PAGE 23
NOTE: 5. Using the instructions on the Web site, download the patches listed in Table 2-5 (for HP-UX 11iv2) into /var/tmp/idspatch_11i. NOTE: • • 6. You must be registered before you can download patches. Note the following: Some patches might have dependency patches; patches that must be installed first. Click the dependency links and download the dependency patches as well. Some patches might be superseded. You can choose the patch listed in Table 2-5 (for HP-UX 11iv2), or the superseded patch.
PAGE 24
Get the HP-UX HIDS Product HP-UX HIDS version 4.2 for HP-UX, 11i v2 and HP-UX 11i v3 is available from the HP Software Depot (http://software.hp.com) From the HP-UX 11i v2 and HP-UX 11i v3 System Versions Refer to the HP-UX 11i Version 2 Installation and Update Guide or HP-UX 11i Version 3 Installation and Update Guide for information on installing HIDS with a system installation or upgrade.
PAGE 25
2. Do the following: Locate the HP-UX 11i Application Release CD that contains the HP-UX HIDS product bundle and load it into your CD reader. In this procedure it is mounted on /SD_CDROM. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # # swcopy -x enforce_dependencies=false -s /SD_CDROM HPUX-HIDS.IDS-KRN HPUX-HIDS.IDS.IDS-AGT-RUN HPUX-HIDS.IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent b.
PAGE 26
Get Patches for Java 1. 2. 3. Log in as superuser (root) on the depot system. See “Create the Depot Directory” (page 22). Create a directory in which you can save the patches and make a depot. This procedure uses /var/tmp/javapatch. Open the HP Java Website: http://www.hp.com/go/java, 4. 5. 6. Click on the patches link. Take note of the patches that you need, based on your administration system. Open the HP Support Website: http://itrc.hp.com, 7. Click on individual patches.
PAGE 27
7. Transfer the software to the administration depot using one of the following steps: a. • 11i Admin Depot If your administration system will not be running an agent, copy the 11i Java software into the ids_11i_admin depot: # swcopy -x enforce_dependencies=false -s /var/tmp/jre15_15001_1111.depot * @ /var/depot/ids_11i_admin b.
PAGE 28
NOTE: In the following procedure, swinstall does not reinstall any patches or applications that are already installed. You can ignore messages to that regard. The software you need will be installed properly.Do not reinstall any patches without consulting HP Support first. The swinstall option -x autoreboot=true in the following procedure ensures that any software that requires a system reboot will be installed. If none of the installed software requires a reboot, the system will not be rebooted.
PAGE 29
Will Installing HP-UX HIDS Version 4.2 Reboot My Agent System? The installation scripts for HP-UX HIDS try to avoid unnecessary system reboots. However, in some circumstances, a system reboot might be required. Those circumstances are (in order of priority): 1. 2. 3. If you choose the Reinstall Filesets option in the graphical interface to swinstall, all HIDS filesets will be installed, and a system reboot will occur.
PAGE 30
Optional You might also need to complete one or more of the following steps: • Configuring a multihomed agent system If you have an agent system with more than one IP address, you may have to specify the correct address to the agent and administration software. • Configuring a multihomed administration system If you have an administration system with more than one IP address, you may have to specify the correct address to the agent and administration software.
PAGE 31
A HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
PAGE 32
* permission, please contact openssl-core@openssl.org. * * 5. Products derived from this software may not be called * "OpenSSL" nor may "OpenSSL" appear in their names without * prior written permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the * following acknowledgment: * "This product includes software developed by the OpenSSL * Project for use in the OpenSSL Toolkit * (http://www.openssl.
PAGE 33
* copyright notice, this list of conditions and the * following disclaimer. * 2. Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the * following disclaimer in the documentation and/or other * materials provided with the distribution. * 3. All advertising materials mentioning features or use of * this software must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.
PAGE 34
No Disassembly or Decryption. You may not disassemble or decompile the Software without HP’s prior written consent. Where you have other rights under statute, you will provide HP with reasonably detailed information regarding any intended disassembly or decompilation. You may not decrypt the Software unless necessary for the legitimate use of the Software. Transfer. You many transfer your rights under this Agreement to another party on a permanent basis.