HP-UX Host Intrusion Detection System Version 4.3 administrator guide
Table Of Contents
- HP-UX Host Intrusion Detection System Version 4.3 administrator guide
- Table of Contents
- About This Document
- 1 Introduction
- 2 Configuring HP-UX HIDS
- 3 Getting Started with HP-UX HIDS
- 4 Using the System Manager Screen
- Starting the HP-UX HIDS System Manager
- Stopping the HP-UX HIDS System Manager
- System Manager Components
- Starting HP-UX HIDS Agents
- Getting the Status of Agent Hosts
- Resynchronizing Agent Hosts
- Activating Schedules on Agent Hosts
- Stopping Schedules on Agent Hosts
- Halting HP-UX HIDS Agents
- Accessing Other Screens
- 5 Using the Schedule Manager Screen
- The Schedule Manager
- Configuring Surveillance Schedules
- Configuring Surveillance Groups
- Configuring Detection Templates
- Setting Surveillance Schedule Timetables
- Configuring Alert Aggregation
- Configuring Monitor Failed Attempts
- Configuring Duplicate Alert Suppression
- Viewing Surveillance Schedule Details
- Predefined Surveillance Schedules and Groups
- 6 Using the Host Manager Screen
- 7 Using the Network Node Screen
- 8 Using the Preferences Screen
- A Templates and Alerts
- Alert Summary
- UNIX Regular Expressions
- Limitations
- Template Property Types
- Buffer Overflow Template
- Race Condition Template
- Modification of files/directories Template
- Changes to Log File Template
- Creation and Modification of setuid/setgid File Template
- Creation of World-Writable File Template
- Modification of Another User’s File Template
- Login/Logout Template
- Repeated Failed Logins Template
- Repeated Failed su Commands Template
- Log File Monitoring Template
- B Automated Response for Alerts
- C Tuning Schedules and Generating Alert Reports
- D The Agent Configuration File
- E The Surveillance Schedule Text File
- F Error Messages
- G Troubleshooting
- Troubleshooting
- Agent and System Manager cannot communicate with each other
- Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present
- Agent does not start on system boot
- Agent halts abnormally, leaving ids_* files and message queues
- Agent host appears to hang and/or you see message disk full
- Agent needs further troubleshooting
- Agent does not start after installation
- Agents appear to be stuck in polling status
- Agent displays error if hostname to IP mapping is not registered in name service
- Aggregated alerts targets or details field are truncated and the same aggregated alert has several entries logged in the IDS_ALERTFILE
- Alert date/time sort seems inconsistent
- Alerts are not being displayed in the alert browser
- Buffer overflow triggers false positives
- Duplicate alerts appear in System Manager
- Getting several aggregated alerts for the same process
- GUI runs out of memory after receiving around 19,000 alerts
- The idsadmin Command needs installed agent certificates
- The idsadmin Command notifies of bad certificate when pinging a remote agent
- IDS_checkInstall fails with a kmtune error
- IDS_genAdminKeys or IDS_genAgentCerts does not complete successfully
- IDS_genAdminKeys or idsgui quits early
- Large files in /var/opt/ids
- Log files are filling up
- No Agent Available
- Normal operation of an application generates heavy volume of alerts
- Reflection X rlogin produces multiple login and logout alerts
- Schedule Manager timetable screen appears to hang
- SSH does not perform a clean exit after idsagent is started
- System Manager appears to hang
- System Manager does not let you save files to specific directories
- System Manager does not start after idsgui is started
- System Manager starts with no borders or title bar in X client programs on Windows
- System Manager times out on agent functions such as Activate and Status Poll
- UNKNOWN program and arguments in certain alert messages
- Using HP-UX HIDS with IPFilter and SecureShell
- Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems
- Troubleshooting
- H HP Software License
Agent halts abnormally, leaving ids_* files and message queues
□ If a running agent was not halted as described in “Halting HP-UX HIDS Agents” (page 54)
(for example, the agent was stopped with kill -9), then you need to clean up the message
queues, which the agent uses for interprocess communication (IPC). This is important because
the kernel has a limited number of message queues that IDS and other applications need in
order to run.
You should also remove any file in /var/opt/ids/ whose name starts with the string
“ids_” and ends with a number (e.g., ids_1001). These are memory mapped files that are
used by HIDS processes for interprocess communication. If they are not cleaned up, the
corresponding partition might become full. A new memory mapped file will be automatically
created the next time the agent starts a schedule. You should *not* remove any memory
mapped files when a schedule is running.
Procedure G-1 To clean up the IDS message queues
1. Determine which message queues are used by HP-UX HIDS:
ipcs -q grep ids
2. Remove the /var/opt/ids/ids_* files.
3. Remove each queue:
ipcrm -q <qid1> -q <qid2>...-q <qidn>
Here’s an example of a hard kill followed by a message queue cleanup.
# ps -fu ids # display the ids processes
ids 16546 1 0 Apr 7 ? 3:09 ./idsagent
# kill -9 16546 # hard kill of idsagent
# ipcs -q grep ids # display the message queue
q 602 0x000003e8 --rw------- ids ids
# ipcrm -q 602 # delete the message queue
Agent host appears to hang and/or you see message disk full
□ Check the local disk for available capacity. The following files have a tendency to become
large and may need to be archived and truncated, or moved to a different disk partition
with more space:
• /var/opt/ids/alert.log
• /var/opt/ids/gui/logs/hostname_alert.log
• /var/opt/ids/error.log
• /var/opt/ids/gui/logs/Trace.log
• /var/opt/ids/gui/guiError.log
Agent needs further troubleshooting
□ Create a directory for the logging information (for example, /var/log)
□ Restart the idsagent process with debugging enabled:
• /sbin/init.d/idsagent stop
• /opt/ids/bin/idsagent -d -e -l /var/log/idslog
□ The debug information can be found in the following files:
• /var/log/idslog
• /var/log/idslog_idskerndsp
• /var/log/idslog_idssysdsp
• /var/log/idslog_idscor
Agent does not start after installation
□ Verify that there are no errors from the install: /var/adm/sw/swagent.log
□ Be sure the product has been run as user ids. (No other user will work.)
216 Troubleshooting