HP-UX Host Intrusion Detection System Version 4.3 administrator guide
Table Of Contents
- HP-UX Host Intrusion Detection System Version 4.3 administrator guide
- Table of Contents
- About This Document
- 1 Introduction
- 2 Configuring HP-UX HIDS
- 3 Getting Started with HP-UX HIDS
- 4 Using the System Manager Screen
- Starting the HP-UX HIDS System Manager
- Stopping the HP-UX HIDS System Manager
- System Manager Components
- Starting HP-UX HIDS Agents
- Getting the Status of Agent Hosts
- Resynchronizing Agent Hosts
- Activating Schedules on Agent Hosts
- Stopping Schedules on Agent Hosts
- Halting HP-UX HIDS Agents
- Accessing Other Screens
- 5 Using the Schedule Manager Screen
- The Schedule Manager
- Configuring Surveillance Schedules
- Configuring Surveillance Groups
- Configuring Detection Templates
- Setting Surveillance Schedule Timetables
- Configuring Alert Aggregation
- Configuring Monitor Failed Attempts
- Configuring Duplicate Alert Suppression
- Viewing Surveillance Schedule Details
- Predefined Surveillance Schedules and Groups
- 6 Using the Host Manager Screen
- 7 Using the Network Node Screen
- 8 Using the Preferences Screen
- A Templates and Alerts
- Alert Summary
- UNIX Regular Expressions
- Limitations
- Template Property Types
- Buffer Overflow Template
- Race Condition Template
- Modification of files/directories Template
- Changes to Log File Template
- Creation and Modification of setuid/setgid File Template
- Creation of World-Writable File Template
- Modification of Another User’s File Template
- Login/Logout Template
- Repeated Failed Logins Template
- Repeated Failed su Commands Template
- Log File Monitoring Template
- B Automated Response for Alerts
- C Tuning Schedules and Generating Alert Reports
- D The Agent Configuration File
- E The Surveillance Schedule Text File
- F Error Messages
- G Troubleshooting
- Troubleshooting
- Agent and System Manager cannot communicate with each other
- Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present
- Agent does not start on system boot
- Agent halts abnormally, leaving ids_* files and message queues
- Agent host appears to hang and/or you see message disk full
- Agent needs further troubleshooting
- Agent does not start after installation
- Agents appear to be stuck in polling status
- Agent displays error if hostname to IP mapping is not registered in name service
- Aggregated alerts targets or details field are truncated and the same aggregated alert has several entries logged in the IDS_ALERTFILE
- Alert date/time sort seems inconsistent
- Alerts are not being displayed in the alert browser
- Buffer overflow triggers false positives
- Duplicate alerts appear in System Manager
- Getting several aggregated alerts for the same process
- GUI runs out of memory after receiving around 19,000 alerts
- The idsadmin Command needs installed agent certificates
- The idsadmin Command notifies of bad certificate when pinging a remote agent
- IDS_checkInstall fails with a kmtune error
- IDS_genAdminKeys or IDS_genAgentCerts does not complete successfully
- IDS_genAdminKeys or idsgui quits early
- Large files in /var/opt/ids
- Log files are filling up
- No Agent Available
- Normal operation of an application generates heavy volume of alerts
- Reflection X rlogin produces multiple login and logout alerts
- Schedule Manager timetable screen appears to hang
- SSH does not perform a clean exit after idsagent is started
- System Manager appears to hang
- System Manager does not let you save files to specific directories
- System Manager does not start after idsgui is started
- System Manager starts with no borders or title bar in X client programs on Windows
- System Manager times out on agent functions such as Activate and Status Poll
- UNKNOWN program and arguments in certain alert messages
- Using HP-UX HIDS with IPFilter and SecureShell
- Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems
- Troubleshooting
- H HP Software License
Table F-1 Agent Error Messages (continued)
ActionMeaningError Message
Either specify a specific IP address
or 0.0.0.0 ( or "::" for IPV6). If you
specify a specific IP address, it must
correspond to the network interface
for the network connecting the agent
and system manager systems.
If 0.0.0.0 ( or "::" for IPV6) is selected,
the agent system can be connected
to the system manager or the
idsadmin that are reachable on any
of the agent's network interfaces.
On your agent system, edit /etc/
opt/ids/ids.cf to set the
IDS_LISTEN_IFACE variable to
either the IP address you have
chosen, or to 0.0.0.0 ( or "::" for IPV6)
.
NOTE: By setting the value of the
IDS_LISTEN_IFACE variable to
0.0.0.0 (or "::" for IPv6), the agent
will listen for the system manager
or theidsadmin connections on a
port (see “Configuring Ports”) on all
available interfaces. Any potential
risk from listening on all available
interfaces can be avoided by setting
the IDS_LISTEN_IFACE variable
to an IP address that the name
service maps to the local host name.
For example, change the
IDS_LISTEN_IFACE line to read
IDS_LISTEN_IFACE=192.0.2.4.
If theIDS_LISTEN_IFACE variable in the
[global] section of /etc/opt/ids/
ids.cf is empty, then the local host name
maps to multiple IP addresses according
to the name service and the agent does not
know which IP address (and the
corresponding interface) to listen for
System Manager or idsadmin
connections.
If the IDS_LISTEN_IFACE variable is set
to a host name, then the specified host
name maps to multiple IP addresses
according to the name service and the
agent does not know which IP address
(and the corresponding interface) to listen
for System Manager or idsadmin
connections.
If theIDS_LISTEN_IFACE variable is set
to an IP address, then the IP address does
not map to the local host name according
to the name service and the agent assumes
that an invalid IP address was specified.
idsagent: the IDS_LISTEN_IFACE
parameter is specified as:
<IP Address or Host name>
in the configuration file /etc/
opt/ids/ids.cf. This is not a
valid address or name for this host.
Please change the
IDS_LISTEN_IFACE parameter
in the [global] section of the
configuration file to be a valid
address or name for this host.
If the file should not have changed,
treat it as a potential intrusion.
File filename, which is being monitored
by the idssysdsp process, has been moved.
This is acceptable if the file has just
undergone expected log file rotation.
idssysdsp: NOTE: inode of file
filename was changed (ok if log
rotation expected on this file)
If the file should not have changed,
treat it as a potential intrusion.
File filename, which is being monitored
by the idssysdsp process, changed in size.
This is acceptable if the file has just
undergone expected log file rotation.
idssysdsp: NOTE: size of file
filename decreased (ok if log
rotation expected on this file)
Contact HP support.An internal error occurred.Internal error
Contact HP support.An internal error occurred.Internal error: unknown state
Ensure that the directory exists, that
it is owned by user:group ids:ids,
and that it is readable and
executable by user ids.
idsagent was unable to open or read the
/opt/ids/response directory which
contains the alert response scripts.
unable to open the response script
directory dir
System Manager Messages
This section describes the error messages that are displayed on the HP-UX HIDS System Manager
system.
System Manager Messages 207