HP-UX Host Intrusion Detection System Version 4.3 administrator guide
Table Of Contents
- HP-UX Host Intrusion Detection System Version 4.3 administrator guide
- Table of Contents
- About This Document
- 1 Introduction
- 2 Configuring HP-UX HIDS
- 3 Getting Started with HP-UX HIDS
- 4 Using the System Manager Screen
- Starting the HP-UX HIDS System Manager
- Stopping the HP-UX HIDS System Manager
- System Manager Components
- Starting HP-UX HIDS Agents
- Getting the Status of Agent Hosts
- Resynchronizing Agent Hosts
- Activating Schedules on Agent Hosts
- Stopping Schedules on Agent Hosts
- Halting HP-UX HIDS Agents
- Accessing Other Screens
- 5 Using the Schedule Manager Screen
- The Schedule Manager
- Configuring Surveillance Schedules
- Configuring Surveillance Groups
- Configuring Detection Templates
- Setting Surveillance Schedule Timetables
- Configuring Alert Aggregation
- Configuring Monitor Failed Attempts
- Configuring Duplicate Alert Suppression
- Viewing Surveillance Schedule Details
- Predefined Surveillance Schedules and Groups
- 6 Using the Host Manager Screen
- 7 Using the Network Node Screen
- 8 Using the Preferences Screen
- A Templates and Alerts
- Alert Summary
- UNIX Regular Expressions
- Limitations
- Template Property Types
- Buffer Overflow Template
- Race Condition Template
- Modification of files/directories Template
- Changes to Log File Template
- Creation and Modification of setuid/setgid File Template
- Creation of World-Writable File Template
- Modification of Another User’s File Template
- Login/Logout Template
- Repeated Failed Logins Template
- Repeated Failed su Commands Template
- Log File Monitoring Template
- B Automated Response for Alerts
- C Tuning Schedules and Generating Alert Reports
- D The Agent Configuration File
- E The Surveillance Schedule Text File
- F Error Messages
- G Troubleshooting
- Troubleshooting
- Agent and System Manager cannot communicate with each other
- Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present
- Agent does not start on system boot
- Agent halts abnormally, leaving ids_* files and message queues
- Agent host appears to hang and/or you see message disk full
- Agent needs further troubleshooting
- Agent does not start after installation
- Agents appear to be stuck in polling status
- Agent displays error if hostname to IP mapping is not registered in name service
- Aggregated alerts targets or details field are truncated and the same aggregated alert has several entries logged in the IDS_ALERTFILE
- Alert date/time sort seems inconsistent
- Alerts are not being displayed in the alert browser
- Buffer overflow triggers false positives
- Duplicate alerts appear in System Manager
- Getting several aggregated alerts for the same process
- GUI runs out of memory after receiving around 19,000 alerts
- The idsadmin Command needs installed agent certificates
- The idsadmin Command notifies of bad certificate when pinging a remote agent
- IDS_checkInstall fails with a kmtune error
- IDS_genAdminKeys or IDS_genAgentCerts does not complete successfully
- IDS_genAdminKeys or idsgui quits early
- Large files in /var/opt/ids
- Log files are filling up
- No Agent Available
- Normal operation of an application generates heavy volume of alerts
- Reflection X rlogin produces multiple login and logout alerts
- Schedule Manager timetable screen appears to hang
- SSH does not perform a clean exit after idsagent is started
- System Manager appears to hang
- System Manager does not let you save files to specific directories
- System Manager does not start after idsgui is started
- System Manager starts with no borders or title bar in X client programs on Windows
- System Manager times out on agent functions such as Activate and Status Poll
- UNKNOWN program and arguments in certain alert messages
- Using HP-UX HIDS with IPFilter and SecureShell
- Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems
- Troubleshooting
- H HP Software License
1 Introduction
This chapter introduces the HP-UX Host Intrusion Detection System (HP-UX HIDS) software,
an HP-UX product that enhances the local host-level security within your network.
This chapter addresses the following topics:
• “Importance of Intrusion Detection” (page 19)
• “HP-UX HIDS Functionality” (page 23)
• “HP-UX HIDS Limitations” (page 23)
• “HP-UX HIDS Components” (page 24)
• “Glossary of HP-UX HIDS Terms” (page 26)
Importance of Intrusion Detection
Some threats faced by almost all businesses today are the following:
• Loss of financial assets
Financial institutions are vulnerable even to trusted employees. With the advent of Internet
technology, several financial institutions transfer millions of dollars over computer networks.
In addition to easy access, this technology has made the whole financial industry vulnerable
to attacks.
• Loss of intellectual property
Intellectual property refers to unique knowledge or ideas about technology a company owns.
Intellectual property can be the design of a new engine, the code to a new software product,
or even the customer contact list. Intellectual property must be handled with utmost care.
Companies around the world face this challenge everyday.
• Loss of computing resources
Information is of no use if it cannot be acted upon, and not having the computing resources
available to process information renders it useless. Any company that offers its customers
an online service is acutely aware of the potential losses that can result from even a minute
of downtime. This is especially true in the case of web services. Lack of availability of critical
computing resources because of malicious actions is a serious threat faced by any company
doing business on the Internet today. Loss of business (measured in dollars) can be significant.
Harder to quantify, but more damaging in the long term, is the loss of consumer confidence
in a business that suffers an online attack. Another example of a loss of a critical computing
resource is a corporate email system crash. When the outage is caused intentionally by an
attacker who is continually disrupting business, the financial cost to a company can be very
high —lost sales or miscommunication with customers, for example.
• Loss of privacy
Privacy is a serious security concern in the medical, insurance, and banking fields. If a
computer system is broken into by an external attacker, sensitive data may be obtained that
can leave a company liable to legal action because of a lack of due diligence to protect
sensitive data.
Who are the Perpetrators?
Perpetrators of security attacks most often are not outsiders who roam the Internet, but your
own employees, whom you trust with your critical data and systems. Unreliable employees who
have an intimate knowledge of systems and network can abuse their positions of trust. However,
most effort has been expended in defending against the perceived threat from outside. As a
result, most security solutions have focused on firewalls and web servers, completely ignoring
Importance of Intrusion Detection 19