HP-UX Host Intrusion Detection System Version 4.3 administrator guide
Table Of Contents
- HP-UX Host Intrusion Detection System Version 4.3 administrator guide
- Table of Contents
- About This Document
- 1 Introduction
- 2 Configuring HP-UX HIDS
- 3 Getting Started with HP-UX HIDS
- 4 Using the System Manager Screen
- Starting the HP-UX HIDS System Manager
- Stopping the HP-UX HIDS System Manager
- System Manager Components
- Starting HP-UX HIDS Agents
- Getting the Status of Agent Hosts
- Resynchronizing Agent Hosts
- Activating Schedules on Agent Hosts
- Stopping Schedules on Agent Hosts
- Halting HP-UX HIDS Agents
- Accessing Other Screens
- 5 Using the Schedule Manager Screen
- The Schedule Manager
- Configuring Surveillance Schedules
- Configuring Surveillance Groups
- Configuring Detection Templates
- Setting Surveillance Schedule Timetables
- Configuring Alert Aggregation
- Configuring Monitor Failed Attempts
- Configuring Duplicate Alert Suppression
- Viewing Surveillance Schedule Details
- Predefined Surveillance Schedules and Groups
- 6 Using the Host Manager Screen
- 7 Using the Network Node Screen
- 8 Using the Preferences Screen
- A Templates and Alerts
- Alert Summary
- UNIX Regular Expressions
- Limitations
- Template Property Types
- Buffer Overflow Template
- Race Condition Template
- Modification of files/directories Template
- Changes to Log File Template
- Creation and Modification of setuid/setgid File Template
- Creation of World-Writable File Template
- Modification of Another User’s File Template
- Login/Logout Template
- Repeated Failed Logins Template
- Repeated Failed su Commands Template
- Log File Monitoring Template
- B Automated Response for Alerts
- C Tuning Schedules and Generating Alert Reports
- D The Agent Configuration File
- E The Surveillance Schedule Text File
- F Error Messages
- G Troubleshooting
- Troubleshooting
- Agent and System Manager cannot communicate with each other
- Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present
- Agent does not start on system boot
- Agent halts abnormally, leaving ids_* files and message queues
- Agent host appears to hang and/or you see message disk full
- Agent needs further troubleshooting
- Agent does not start after installation
- Agents appear to be stuck in polling status
- Agent displays error if hostname to IP mapping is not registered in name service
- Aggregated alerts targets or details field are truncated and the same aggregated alert has several entries logged in the IDS_ALERTFILE
- Alert date/time sort seems inconsistent
- Alerts are not being displayed in the alert browser
- Buffer overflow triggers false positives
- Duplicate alerts appear in System Manager
- Getting several aggregated alerts for the same process
- GUI runs out of memory after receiving around 19,000 alerts
- The idsadmin Command needs installed agent certificates
- The idsadmin Command notifies of bad certificate when pinging a remote agent
- IDS_checkInstall fails with a kmtune error
- IDS_genAdminKeys or IDS_genAgentCerts does not complete successfully
- IDS_genAdminKeys or idsgui quits early
- Large files in /var/opt/ids
- Log files are filling up
- No Agent Available
- Normal operation of an application generates heavy volume of alerts
- Reflection X rlogin produces multiple login and logout alerts
- Schedule Manager timetable screen appears to hang
- SSH does not perform a clean exit after idsagent is started
- System Manager appears to hang
- System Manager does not let you save files to specific directories
- System Manager does not start after idsgui is started
- System Manager starts with no borders or title bar in X client programs on Windows
- System Manager times out on agent functions such as Activate and Status Poll
- UNKNOWN program and arguments in certain alert messages
- Using HP-UX HIDS with IPFilter and SecureShell
- Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems
- Troubleshooting
- H HP Software License
characters escaped because the string pattern within double quotes is only parsed by the regular
expression parser and not by the template parser, unlike Type I properties that are parsed both
by the template parser and the regular expression parser. However, to include double quotes (")
as part of a pattern, the double quotes must be escaped with a backslash (\) character.
The severity property value associated with a log file takes precedence over the global
log_severity_def property value (See, “Surveillance Schedule Section”). In case the severity
property value is empty or not specified, the global property log_severity_def value is used.
The following example specifies that entries logged to the log file /var/adm/syslog/
syslog.log will trigger an alert with severity 1 if the syslog entry indicates that a file system
is full on a logical volume other than one under/dev/vg03:
logfile | /var/adm/syslog/syslog.log
watch | "file system /dev/vg[0-9]+/.* full"
ignore | "file system /dev/vg03/.* full"
severity | 1
The watch and ignore property values are both specified using regular expression notation.
For more information on regular expressions, see “UNIX Regular Expressions ” (page 114).
Multiple instances of the logfile, watch, ignore, and severity properties can be specified
but need to be specified consecutively in a group. For example, the following template properties
specify that the apache web server's error log should be monitored for authentication failures
except for user ids and any alerts issued will have a severity of 2, whereas the access log should
be monitored for all HTTP 400 error codes except for GET and HEAD requests and any alerts
will have a severity of 3:
logfile | /opt/apache/logs/error_log
watch | "authentication failure for"
ignore | "user ids"
severity | 2
logfile | /opt/apache/logs/access_log
watch | "\".* HTTP/[0-9].[0-9]\" 4[0-9][0-9]"
ignore | "GET" | "HEAD"
severity | 3
NOTE: For more information about regular expressions, see: “UNIX Regular Expressions ”
Alerts generated by this template
Log File Monitoring
Table A-30 “Log File Monitoring Alert Properties” lists the alert properties the Log File
Monitoring template generates and forwards to a response program when log entries matching
a string pattern are detected.
Table A-30 Log File Monitoring Alert Properties
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to template10IntegerTemplate
Code
argv[1]
Template version<version>IntegerVersionargv[2]
Specifies alert severity. Alert
severity is configurable.
<severity level>
IntegerSeverityargv[3]
UTC time in number of seconds
since the epoch when the log file
entry was detected.
<secs>
IntegerUTC Timeargv[4]
<empty>
String
<empty>
argv[5]
156 Templates and Alerts