HP-UX Host Intrusion Detection System Version 4.3 administrator guide
Table Of Contents
- HP-UX Host Intrusion Detection System Version 4.3 administrator guide
- Table of Contents
- About This Document
- 1 Introduction
- 2 Configuring HP-UX HIDS
- 3 Getting Started with HP-UX HIDS
- 4 Using the System Manager Screen
- Starting the HP-UX HIDS System Manager
- Stopping the HP-UX HIDS System Manager
- System Manager Components
- Starting HP-UX HIDS Agents
- Getting the Status of Agent Hosts
- Resynchronizing Agent Hosts
- Activating Schedules on Agent Hosts
- Stopping Schedules on Agent Hosts
- Halting HP-UX HIDS Agents
- Accessing Other Screens
- 5 Using the Schedule Manager Screen
- The Schedule Manager
- Configuring Surveillance Schedules
- Configuring Surveillance Groups
- Configuring Detection Templates
- Setting Surveillance Schedule Timetables
- Configuring Alert Aggregation
- Configuring Monitor Failed Attempts
- Configuring Duplicate Alert Suppression
- Viewing Surveillance Schedule Details
- Predefined Surveillance Schedules and Groups
- 6 Using the Host Manager Screen
- 7 Using the Network Node Screen
- 8 Using the Preferences Screen
- A Templates and Alerts
- Alert Summary
- UNIX Regular Expressions
- Limitations
- Template Property Types
- Buffer Overflow Template
- Race Condition Template
- Modification of files/directories Template
- Changes to Log File Template
- Creation and Modification of setuid/setgid File Template
- Creation of World-Writable File Template
- Modification of Another User’s File Template
- Login/Logout Template
- Repeated Failed Logins Template
- Repeated Failed su Commands Template
- Log File Monitoring Template
- B Automated Response for Alerts
- C Tuning Schedules and Generating Alert Reports
- D The Agent Configuration File
- E The Surveillance Schedule Text File
- F Error Messages
- G Troubleshooting
- Troubleshooting
- Agent and System Manager cannot communicate with each other
- Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present
- Agent does not start on system boot
- Agent halts abnormally, leaving ids_* files and message queues
- Agent host appears to hang and/or you see message disk full
- Agent needs further troubleshooting
- Agent does not start after installation
- Agents appear to be stuck in polling status
- Agent displays error if hostname to IP mapping is not registered in name service
- Aggregated alerts targets or details field are truncated and the same aggregated alert has several entries logged in the IDS_ALERTFILE
- Alert date/time sort seems inconsistent
- Alerts are not being displayed in the alert browser
- Buffer overflow triggers false positives
- Duplicate alerts appear in System Manager
- Getting several aggregated alerts for the same process
- GUI runs out of memory after receiving around 19,000 alerts
- The idsadmin Command needs installed agent certificates
- The idsadmin Command notifies of bad certificate when pinging a remote agent
- IDS_checkInstall fails with a kmtune error
- IDS_genAdminKeys or IDS_genAgentCerts does not complete successfully
- IDS_genAdminKeys or idsgui quits early
- Large files in /var/opt/ids
- Log files are filling up
- No Agent Available
- Normal operation of an application generates heavy volume of alerts
- Reflection X rlogin produces multiple login and logout alerts
- Schedule Manager timetable screen appears to hang
- SSH does not perform a clean exit after idsagent is started
- System Manager appears to hang
- System Manager does not let you save files to specific directories
- System Manager does not start after idsgui is started
- System Manager starts with no borders or title bar in X client programs on Windows
- System Manager times out on agent functions such as Activate and Status Poll
- UNKNOWN program and arguments in certain alert messages
- Using HP-UX HIDS with IPFilter and SecureShell
- Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems
- Troubleshooting
- H HP Software License
For example, a program with full path name /usr/bin/program can be invoked as
program or as ../bin/program, or as /bin/program, where /bin is a symbolic link to
/usr/bin. Under the conditions previously stated, alert aggregation cannot happen as
expected if the regular expression ^/usr/bin/program$ is specified in the aggregation
tuple instead of program.
• When the Alert Aggregation option box is deselected in the GUI Schedule Manager Alert
Aggregation tab, the Real Time Alerts option box is disabled and is automatically selected
to indicate that real-time alerts will be issued.
• Aggregated alerts, such as those generated when installing or removing software using SD,
can potentially be very large (many Kbytes in size). You may notice that aggregated alerts
in the IDS_ALERTFILE are divided into portions and sent to response programs in portions.
The first portion’s code field has a value of 11 and the subsequent portions will have a code
field value of 12 (see /opt/ids/share/examples/ids_alertResponse.c). You will
also notice that alert targets and detail fields are truncated for these aggregated alert portions.
The kernel tunables (msgmax and msgmnb) govern the size of the alerts sent by the idscor
process to the idsagent process, using IPC message queues. To minimize the segmentation
of large aggregated alerts, you can increase the values of the msgmax and msgmnb kernel
tunables.
• For large aggregated alerts, only the first portion of the aggregated alert is displayed by the
GUI network node. You must refer to the alert log file of the agent to see the complete portion
of the aggregated alert.
Configuring Monitor Failed Attempts
Monitor Failed Attempts is a surveillance schedule feature that, when enabled, alerts the
administrator when there are failed attempts to create, delete, or modify critical files, an indication
that there might be an intrusion or system misuse is in progress. The monitoring of failed attempts,
when enabled, is only performed for the Modification of files/directories template,
the Changes to Log File template, and Modification of Another User’s File
template.
As an example, if the permissions on the file/etc/passwd only allows read permission for
users, group, and others, and an attacker tries to open the /etc/passwd file with write
permission, the open will fail. If the Monitor Failed Attempts feature is enabled, an alert is issued.
The Monitor Failed Attempts feature is disabled by default for all newly created and pre-defined
surveillance schedules. It can be configured either by using the GUI Schedule Manager window,
or by editing a schedule in text format. See “Surveillance Schedule Text File” (page 198) for more
information on the schedule in text format. The feature can also be enabled by setting
MONITOR_FAILED_ATTEMPTS parameter in ids.cf configuration file (see “Kernel Audit
Data DSP” (page 194)). The ids.cf configuration file can be used to override the
monitor_failed_attempts global property specified in the surveillance schedule.
To configure and enable the Monitor Failed Attempts feature, follow these steps:
Configuring Monitor Failed Attempts 75