HP-UX Host Intrusion Detection System Version 4.3 administrator guide
Table Of Contents
- HP-UX Host Intrusion Detection System Version 4.3 administrator guide
- Table of Contents
- About This Document
- 1 Introduction
- 2 Configuring HP-UX HIDS
- 3 Getting Started with HP-UX HIDS
- 4 Using the System Manager Screen
- Starting the HP-UX HIDS System Manager
- Stopping the HP-UX HIDS System Manager
- System Manager Components
- Starting HP-UX HIDS Agents
- Getting the Status of Agent Hosts
- Resynchronizing Agent Hosts
- Activating Schedules on Agent Hosts
- Stopping Schedules on Agent Hosts
- Halting HP-UX HIDS Agents
- Accessing Other Screens
- 5 Using the Schedule Manager Screen
- The Schedule Manager
- Configuring Surveillance Schedules
- Configuring Surveillance Groups
- Configuring Detection Templates
- Setting Surveillance Schedule Timetables
- Configuring Alert Aggregation
- Configuring Monitor Failed Attempts
- Configuring Duplicate Alert Suppression
- Viewing Surveillance Schedule Details
- Predefined Surveillance Schedules and Groups
- 6 Using the Host Manager Screen
- 7 Using the Network Node Screen
- 8 Using the Preferences Screen
- A Templates and Alerts
- Alert Summary
- UNIX Regular Expressions
- Limitations
- Template Property Types
- Buffer Overflow Template
- Race Condition Template
- Modification of files/directories Template
- Changes to Log File Template
- Creation and Modification of setuid/setgid File Template
- Creation of World-Writable File Template
- Modification of Another User’s File Template
- Login/Logout Template
- Repeated Failed Logins Template
- Repeated Failed su Commands Template
- Log File Monitoring Template
- B Automated Response for Alerts
- C Tuning Schedules and Generating Alert Reports
- D The Agent Configuration File
- E The Surveillance Schedule Text File
- F Error Messages
- G Troubleshooting
- Troubleshooting
- Agent and System Manager cannot communicate with each other
- Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present
- Agent does not start on system boot
- Agent halts abnormally, leaving ids_* files and message queues
- Agent host appears to hang and/or you see message disk full
- Agent needs further troubleshooting
- Agent does not start after installation
- Agents appear to be stuck in polling status
- Agent displays error if hostname to IP mapping is not registered in name service
- Aggregated alerts targets or details field are truncated and the same aggregated alert has several entries logged in the IDS_ALERTFILE
- Alert date/time sort seems inconsistent
- Alerts are not being displayed in the alert browser
- Buffer overflow triggers false positives
- Duplicate alerts appear in System Manager
- Getting several aggregated alerts for the same process
- GUI runs out of memory after receiving around 19,000 alerts
- The idsadmin Command needs installed agent certificates
- The idsadmin Command notifies of bad certificate when pinging a remote agent
- IDS_checkInstall fails with a kmtune error
- IDS_genAdminKeys or IDS_genAgentCerts does not complete successfully
- IDS_genAdminKeys or idsgui quits early
- Large files in /var/opt/ids
- Log files are filling up
- No Agent Available
- Normal operation of an application generates heavy volume of alerts
- Reflection X rlogin produces multiple login and logout alerts
- Schedule Manager timetable screen appears to hang
- SSH does not perform a clean exit after idsagent is started
- System Manager appears to hang
- System Manager does not let you save files to specific directories
- System Manager does not start after idsgui is started
- System Manager starts with no borders or title bar in X client programs on Windows
- System Manager times out on agent functions such as Activate and Status Poll
- UNKNOWN program and arguments in certain alert messages
- Using HP-UX HIDS with IPFilter and SecureShell
- Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems
- Troubleshooting
- H HP Software License
Data Source
Process (DSP)
A component of the HP-UX HIDS agent that reads the data sources and presents the
information for alert calculation.
Detection
template
Basic building block or pattern to be used to combat security attacks on systems.
Duplicate alert An alert whose attacker (uid), target, type of attack (action), and program name
attributes are same as one of the alerts already reported by HIDS, within the specified
Suppression Count and Suppression Interval values.
Duplicate Alert
Suppression
(DAS)
A feature that suppresses duplicate alerts from being generated and reported to the
HIDS administrator console. This feature is applicable only for kernel related templates
except for the race condition and buffer overflow templates.
HTML HyperText Markup Language (HTML) is a markup language for creating web pages.
Intrusion An intrusion is also referred to as an attack. A violation of system security policy by
an unauthorized outsider. An intrusion can include intruding in to an unauthorized
network area, accessing certain systems within the network, accessing certain files,
or running certain programs.
Intrusion
Detection Data
Source (IDDS)
The HP-UX kernel-based audit system used by HPUX HIDS to monitor the host
system for potential intrusion activities.
Intrusion
Detection System
(IDS)
An automated system that detects a security violation on a system or a network.
Kernel The core of the operating system. It is the compiled code responsible for managing
the system’s resources, such as memory, file system, and input and output.
Managed host A host that is actively managed by the HIDS Administrative GUI or CLUI.
Open View
Operations
(OVO)
A distributed client and server software solution designed to detect, solve, and prevent
problems occurring in networks, systems, and applications in any enterprise. OVO
is a scalable and flexible solution that can be configured to meet the requirements of
any IT organization and its users. In addition, you can expand the applications of
OVO by integrating management applications from HP OpenView partners or other
vendors.
Response Script Once HP-UX HIDS detects an intrusive activity, it sends an alert to the System
Manager. In addition, it executes a set of programs located on the system that was
attacked. This script is passed with the details of the alert, and can take whatever
actions the system administrator requires.
Secure Sockets
Layer (SSL)
A protocol for sending data across a network that prevents an eavesdropper from
observing or modifying any data transmitted. It is used for all HP-UX HIDS
communication between agent systems and the administration system.
Summary alert An alert containing a summary of duplicate, suppressed alerts of a previously reported
alert.
Suppression
count
The maximum number of duplicate alerts suppressed for a given alert.
Suppression
interval
The maximum elapsed time during which duplicate alerts of a particular alert are
suppressed.
Surveillance
Group
A group of detection templates. For example, all detection templates related to
checking for file system intrusions that can be grouped into a “File System”
surveillance group.
Surveillance
Schedule
A set of configurable surveillance groups to be deployed on one or more systems on
a scheduled basis. A particular surveillance group is assigned to run on a given system
at one or more particular times of the day on one or more given days of the week.
System Manager
GUI
The graphical user interface (GUI) through which you control the operations of HP-UX
HIDS and where notification of alerts are displayed.
Template
Properties
External values provided as parameters to templates to change a template behavior
at run time.
Glossary of HP-UX HIDS Terms 27