HP-UX Host Intrusion Detection System Version 4.3 administrator guide
Table Of Contents
- HP-UX Host Intrusion Detection System Version 4.3 administrator guide
- Table of Contents
- About This Document
- 1 Introduction
- 2 Configuring HP-UX HIDS
- 3 Getting Started with HP-UX HIDS
- 4 Using the System Manager Screen
- Starting the HP-UX HIDS System Manager
- Stopping the HP-UX HIDS System Manager
- System Manager Components
- Starting HP-UX HIDS Agents
- Getting the Status of Agent Hosts
- Resynchronizing Agent Hosts
- Activating Schedules on Agent Hosts
- Stopping Schedules on Agent Hosts
- Halting HP-UX HIDS Agents
- Accessing Other Screens
- 5 Using the Schedule Manager Screen
- The Schedule Manager
- Configuring Surveillance Schedules
- Configuring Surveillance Groups
- Configuring Detection Templates
- Setting Surveillance Schedule Timetables
- Configuring Alert Aggregation
- Configuring Monitor Failed Attempts
- Configuring Duplicate Alert Suppression
- Viewing Surveillance Schedule Details
- Predefined Surveillance Schedules and Groups
- 6 Using the Host Manager Screen
- 7 Using the Network Node Screen
- 8 Using the Preferences Screen
- A Templates and Alerts
- Alert Summary
- UNIX Regular Expressions
- Limitations
- Template Property Types
- Buffer Overflow Template
- Race Condition Template
- Modification of files/directories Template
- Changes to Log File Template
- Creation and Modification of setuid/setgid File Template
- Creation of World-Writable File Template
- Modification of Another User’s File Template
- Login/Logout Template
- Repeated Failed Logins Template
- Repeated Failed su Commands Template
- Log File Monitoring Template
- B Automated Response for Alerts
- C Tuning Schedules and Generating Alert Reports
- D The Agent Configuration File
- E The Surveillance Schedule Text File
- F Error Messages
- G Troubleshooting
- Troubleshooting
- Agent and System Manager cannot communicate with each other
- Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present
- Agent does not start on system boot
- Agent halts abnormally, leaving ids_* files and message queues
- Agent host appears to hang and/or you see message disk full
- Agent needs further troubleshooting
- Agent does not start after installation
- Agents appear to be stuck in polling status
- Agent displays error if hostname to IP mapping is not registered in name service
- Aggregated alerts targets or details field are truncated and the same aggregated alert has several entries logged in the IDS_ALERTFILE
- Alert date/time sort seems inconsistent
- Alerts are not being displayed in the alert browser
- Buffer overflow triggers false positives
- Duplicate alerts appear in System Manager
- Getting several aggregated alerts for the same process
- GUI runs out of memory after receiving around 19,000 alerts
- The idsadmin Command needs installed agent certificates
- The idsadmin Command notifies of bad certificate when pinging a remote agent
- IDS_checkInstall fails with a kmtune error
- IDS_genAdminKeys or IDS_genAgentCerts does not complete successfully
- IDS_genAdminKeys or idsgui quits early
- Large files in /var/opt/ids
- Log files are filling up
- No Agent Available
- Normal operation of an application generates heavy volume of alerts
- Reflection X rlogin produces multiple login and logout alerts
- Schedule Manager timetable screen appears to hang
- SSH does not perform a clean exit after idsagent is started
- System Manager appears to hang
- System Manager does not let you save files to specific directories
- System Manager does not start after idsgui is started
- System Manager starts with no borders or title bar in X client programs on Windows
- System Manager times out on agent functions such as Activate and Status Poll
- UNKNOWN program and arguments in certain alert messages
- Using HP-UX HIDS with IPFilter and SecureShell
- Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems
- Troubleshooting
- H HP Software License
Table F-1 Agent Error Messages (continued)
ActionMeaningError Message
Verify that the log file is owned by
user:group ids:ids; that the ids
user has read and write permissions
on the file; and that its parent
directory has read and write
permissions.
If a log file created by idsagent has been
changed, then idsagent attempts to
reopen it. The open attempt failed.
idsagent: could not get latest stat
info on log file file
Ensure that you have installed the
latest version of HP-UX HIDS.
Template template requires a data
source dsp that is not supported by this
version of HP-UX HIDS.
idsagent: DSP type dsp required
by template template not found
This error can occur, but idsagent
still cleans up processes.
The idsagent was unable to cleanly shut
down one of the HP-UX HIDS
subprocesses.
idsagent: error trying to shut down
a process
Contact HP support.An internal memory error occurred.idsagent: failed to allocate memory
Contact HP support.An internal memory error occurred.idsagent: failed to create schedule
path file name
Verify that the /var partition has
free disk space, that/var/opt/ids
exists; that it is owned by user:group
ids:ids, and that it is writable by
user ids.
The idsagent was unable to save the
surveillance schedule to a file named
file.
idsagent: failed to create/overwrite
schedule path file file: msg
Verify that the /opt/ids/lbin/
idscorfile exists, that it is owned
by user:group ids:ids, and that it
is readable and executable by user
ids.
The idsagent failed to execute the
correlator subprocess corr
idsagent: failed to execute
correlator: corr
Verify that the /opt/ids/lbin/
idskerndsp file exists, that it is
owned by user:group ids:ids, and
that it is readable and executable by
user ids. Verify that the /opt/
ids/lbin/idssysdsp file exists,
that it is owned by user:group
root:ids, and that it is readable
and executable by user root.
The idsagent failed to execute the data
source subprocess dsp.
idsagent: Failed to execute the DSP
dsp
Verify that there is at least 10 MB of
free disk space in the /var partition
and that the kernel configuration
supports memory mapped files. It
is possible that other processes (such
as OpenView) may have used all the
kernel memory mapped file
resources.
The idsagent was unable to initialize
the memory mapped file communications
between subprocesses.
idsagent: failed to initialize
interprocess communication
Contact HP support.An internal error occurred in parsing and
initializing the surveillance schedule.
idsagent: failed to initialize
schedule
Verify that the user ids is present
in the/var/adm/cron/
cron.allow file.
idsagent was unable to create a set of
crontab entries for user ids to manage
schedule execution.
idsagent: failed to initialize
schedule in crontab
Contact HP support.An internal error occurred.
idsagent: group named group not
found
The /etc/opt/ids/ids.cf file
may be corrupt. Contact HP
support.
An internal error has occurred.idsagent: internal error (no
correlator) in PM_StartProcesses
Agent Messages 205