HP-UX Host Intrusion Detection System Version 4.3 administrator guide
Table Of Contents
- HP-UX Host Intrusion Detection System Version 4.3 administrator guide
- Table of Contents
- About This Document
- 1 Introduction
- 2 Configuring HP-UX HIDS
- 3 Getting Started with HP-UX HIDS
- 4 Using the System Manager Screen
- Starting the HP-UX HIDS System Manager
- Stopping the HP-UX HIDS System Manager
- System Manager Components
- Starting HP-UX HIDS Agents
- Getting the Status of Agent Hosts
- Resynchronizing Agent Hosts
- Activating Schedules on Agent Hosts
- Stopping Schedules on Agent Hosts
- Halting HP-UX HIDS Agents
- Accessing Other Screens
- 5 Using the Schedule Manager Screen
- The Schedule Manager
- Configuring Surveillance Schedules
- Configuring Surveillance Groups
- Configuring Detection Templates
- Setting Surveillance Schedule Timetables
- Configuring Alert Aggregation
- Configuring Monitor Failed Attempts
- Configuring Duplicate Alert Suppression
- Viewing Surveillance Schedule Details
- Predefined Surveillance Schedules and Groups
- 6 Using the Host Manager Screen
- 7 Using the Network Node Screen
- 8 Using the Preferences Screen
- A Templates and Alerts
- Alert Summary
- UNIX Regular Expressions
- Limitations
- Template Property Types
- Buffer Overflow Template
- Race Condition Template
- Modification of files/directories Template
- Changes to Log File Template
- Creation and Modification of setuid/setgid File Template
- Creation of World-Writable File Template
- Modification of Another User’s File Template
- Login/Logout Template
- Repeated Failed Logins Template
- Repeated Failed su Commands Template
- Log File Monitoring Template
- B Automated Response for Alerts
- C Tuning Schedules and Generating Alert Reports
- D The Agent Configuration File
- E The Surveillance Schedule Text File
- F Error Messages
- G Troubleshooting
- Troubleshooting
- Agent and System Manager cannot communicate with each other
- Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present
- Agent does not start on system boot
- Agent halts abnormally, leaving ids_* files and message queues
- Agent host appears to hang and/or you see message disk full
- Agent needs further troubleshooting
- Agent does not start after installation
- Agents appear to be stuck in polling status
- Agent displays error if hostname to IP mapping is not registered in name service
- Aggregated alerts targets or details field are truncated and the same aggregated alert has several entries logged in the IDS_ALERTFILE
- Alert date/time sort seems inconsistent
- Alerts are not being displayed in the alert browser
- Buffer overflow triggers false positives
- Duplicate alerts appear in System Manager
- Getting several aggregated alerts for the same process
- GUI runs out of memory after receiving around 19,000 alerts
- The idsadmin Command needs installed agent certificates
- The idsadmin Command notifies of bad certificate when pinging a remote agent
- IDS_checkInstall fails with a kmtune error
- IDS_genAdminKeys or IDS_genAgentCerts does not complete successfully
- IDS_genAdminKeys or idsgui quits early
- Large files in /var/opt/ids
- Log files are filling up
- No Agent Available
- Normal operation of an application generates heavy volume of alerts
- Reflection X rlogin produces multiple login and logout alerts
- Schedule Manager timetable screen appears to hang
- SSH does not perform a clean exit after idsagent is started
- System Manager appears to hang
- System Manager does not let you save files to specific directories
- System Manager does not start after idsgui is started
- System Manager starts with no borders or title bar in X client programs on Windows
- System Manager times out on agent functions such as Activate and Status Poll
- UNKNOWN program and arguments in certain alert messages
- Using HP-UX HIDS with IPFilter and SecureShell
- Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems
- Troubleshooting
- H HP Software License
List of Tables
1 HP-UX 11i Releases.......................................................................................................................17
2-1 IDS Scripts Used to Set Up Secure Communications....................................................................30
2-2 Runtime File Permissions..............................................................................................................42
4-1 Monitored Nodes..........................................................................................................................50
4-2 Status Field Values.........................................................................................................................50
5-1 Predefined Surveillance Schedules...............................................................................................81
8-1 General Preferences Tab..............................................................................................................106
8-2 Alert Events Subtab.....................................................................................................................107
8-3 Error Events Subtab.....................................................................................................................108
8-4 System Manager Subtab..............................................................................................................109
A-1 Detection Templates....................................................................................................................111
A-2 Buffer Overflow Template Properties.........................................................................................122
A-3 Execute on Stack Alert Properties...............................................................................................123
A-4 Unusual Argument Length Alert Properties ..............................................................................123
A-5 Argument with Nonprintable Character Alert Properties..........................................................124
A-6 Race Condition Template Properties...........................................................................................126
A-7 File Reference Modification Alert Properties..............................................................................127
A-8 setuid Script Executed Alert Properties......................................................................................128
A-9 File/Directories Template Properties...........................................................................................130
A-10 File Being Modified Alert Properties...........................................................................................131
A-11 Failed Attempt to Modify Read-Only File Alert Properties........................................................133
A-12 Template Properties.....................................................................................................................135
A-13 Append-Only File Being Modified Alert Properties...................................................................135
A-14 Failed Attempt to Modify Append-Only File Alert Properties...................................................137
A-15 Setuid File Template Properties...................................................................................................138
A-16 Setuid File Created / Modified Alert Properties..........................................................................139
A-17 World-Writable File Template Properties....................................................................................141
A-18 World-Writable File Created Alert Properties.............................................................................142
A-19 Modification of Another User’s File Template Properties...........................................................144
A-20 Non-Owned File Being Modified Alert Properties.....................................................................145
A-21 Failed Attempt to Modify Non-Owned File Alert Properties.....................................................147
A-22 Login/Logout Template Properties..............................................................................................148
A-23 Login/Logout Alert Properties....................................................................................................149
A-24 Successful su Detected Alert Properties......................................................................................150
A-25 Failed Logins Template Properties..............................................................................................152
A-26 Failed Login Attempts Alert Properties......................................................................................152
A-27 Repeated Failed su Commands Template Properties.................................................................154
A-28 Repeated Failed Su Attempts Alert Properties...........................................................................154
A-29 Log File Monitoring Template Properties...................................................................................155
A-30 Log File Monitoring Alert Properties..........................................................................................156
B-1 Additional Arguments Passed to Response Programs for Kernel Template Alerts...................161
B-2 Additional Arguments Passed to Response Programs for Suppressed Alerts...........................162
B-3 Additional Arguments Passed to Response Programs for File Modification Failed Attempt
Alerts............................................................................................................................................163
B-4 Additional Arguments Passed to Response Programs for File Modification Failed Attempt
Alerts With DAS Enabled............................................................................................................163
B-5 Additional Arguments Passed to Response Programs for Race Condition Template Alerts.....163
B-6 Additional Arguments Passed to Response Programs for Login or Logout Alerts....................164
B-7 Additional Arguments Passed to Response Programs for su Alerts..........................................164
B-8 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts....165
B-9 Environment Variables Set for Response Programs....................................................................166
11