HP-UX Host Intrusion Detection System Version 4.3 release notes

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

HP-UX Host Intrusion Detection System

Version 4.3 release notes

HP-UX 11i v2 and HP-UX 11i v3

HP Part Number: 5992-6530

Published: May 2009

Summary of content (32 pages)

PAGE 1
HP-UX Host Intrusion Detection System Version 4.
PAGE 2
Legal Notices Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Table of Contents 1 Announcement................................................................................................................7 What is HP-UX HIDS..............................................................................................................................7 Compatibility with Previous Versions....................................................................................................7 Compatibility with Other Products.................................................
PAGE 4
Administration and Agent Systems................................................................................................18 Administration System....................................................................................................................18 Agent Systems.................................................................................................................................18 Dual System.....................................................................................
PAGE 5
List of Tables 1-1 2-1 2-2 2-3 2-4 2-5 HP-UX HIDS Product Compatibility..............................................................................................7 Filesets of HIDS.............................................................................................................................17 Software to Install..........................................................................................................................17 Software Depots.........................................
PAGE 6
List of Examples 1-1 1-2 6 Invalid Modification - Scenario 1..................................................................................................12 Invalid Modification - Scenario 2..................................................................................................
PAGE 7
1 Announcement The HP-UX Host Intrusion Detection System Version 4.3 is a maintenance release that contains defect fixes but no new features or enhancements. What is HP-UX HIDS HP-UX HIDS is a host-based HP-UX security product for HP computers running HP-UX 11i. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts. Many types of attacks can bypass network-based detection systems.
PAGE 8
Table 1-1 HP-UX HIDS Product Compatibility (continued) Product Supported? HP-UX 11i v1 No NIS, NIS+ Yes OpenView Yes ServiceGuard Not tested Third-party Event Monitoring Service (EMS) Not tested Trusted Mode operation Yes Virtual Vault No Localization The HP-UX HIDS software and documentation are not localized in non-English languages.
PAGE 9
Documentation The HP-UX HIDS documentation includes manuals, manpages, information on the HP OpenView SMART Plug-In, an IDS Mailing List, and the ITRC Security Forum. Manuals The following documents are available at the HP technical documentation Website in the Internet Security Solutions collection, http://docs.hp.com/en/internet and on the Instant Information CD in the Internet and Security Solutions collection. HP Part No. Title 5992–6529 HP-UX Host Intrusion Detection System Version 4.
PAGE 10
IDS Mailing List To receive the latest news about HP-UX HIDS, send an email message to majordomo@hpuxmail.cup.hp.com. Include only the following line in the body of the message: subscribe ids9000-news NOTE: The term ids9000 refers to the previous name of the product. This address is for subscription requests only. Do not send product questions or other inquiries.
PAGE 11
Clarifications Perform Updates Instead of Cold Reinstalls HP-UX HIDS is designed to support updates. If users cold reinstall the newer version by first removing the older version (swremove), two reboots (instead of just one or possibly none) will occur and there is the possibility of losing some configuration data. Do not Change Permissions Do not change the permissions on files and directories owned by ids.
PAGE 12
Example 1-1 Invalid Modification - Scenario 1 In this example, the GUI Schedule Manager allows the administrator to enter an unequal number of pathnames_X and programs_X pathname groups: pathnames_1 | file1 & file 2 | file3 | file4 programs_1 | prog1 | prog2 However, the administrator will not be able to activate the schedule as there is no corresponding program for file4.
PAGE 13
longer has a connection to that agent. A status command will restablish a connection to that agent. The idsadmin Tool Cannot Monitor more than one Agent at a Time The idsadmin tool does not monitor or display alerts in near real-time from multiple agents at the same time. The idsadmin tool can only monitor and display alerts from one agent at any given time.
PAGE 14
Then type in the /sbin/init.d/idsagent start commands interactively. Agents and Kernel Parameters The administration System Manager can monitor up to 23 agent systems unless you make kernel parameter changes, as described in Chapter 2, “Configuring HP-UX HIDS,” in the Host Intrusion Detection System Administrator’s Guide. Dropped Kernel Audit Records Depending on the system profile and product configuration, and under heavy loads, HIDS can drop kernel audit records and therefore miss potential intrusions.
PAGE 15
The swverify command reports error after removing the IDS Agent or the IDS Admin Sub-product from a server that has HIDS bundle installed. After installing HP-UX HIDS v4.3 on a server, and if IDS Agent (IDS-AGT-RUN fileset) or IDS Admin (IDS-ADM-RUN and IDS-ADM-SHLIB filesets) sub product is removed from the installation, the swverify IDS command report displays the following error message: ERROR: File "/opt/ids/lbin/ssl-tool" missing. ERROR: Fileset "IDS.IDS-AGT-RUN,l=/opt/ids,r=F.04.03.
PAGE 16
PAGE 17
2 Installation This chapter provides information about HIDS installation. IMPORTANT: Read this entire chapter before installing or updating to HIDS version 4.1. Introduction HP-UX HIDS version 4.3 bundle can be downloaded from the HP Software Depot Website. The following product versions are supported: • HPUX-HIDS E.04.03.04 for HP-UX 11i v2 • HPUX-HIDS F.04.03.01 for HP-UX 11i v3 The HIDS software product bundle, HPUX-HIDS, contains the IDS and IDS-KRN products.
PAGE 18
In addition to these Release Notes, you will need the Host Intrusion Detection System Administrator’s Guide Software Release 4.3, for information on configuration and initial startup. 1. 2. 3. 4. 5. 6. 7. Ensure that your administration and agent systems meet the requirements as described in “Hardware and Software Requirements” (page 18). If you want to migrate your existing schedules to HIDS 4.2, complete the steps listed in “Migrating Schedules from Older Versions of HIDS” (page 19).
PAGE 19
Migrating Schedules from Older Versions of HIDS Surveillance schedules created using HIDS v3.1 and v4.0 must be migrated before they can be run by HIDS v4.3 agents. Schedules created using HIDS v4.1 do not need to be migrated unless the features introduced in version 4.2 and supported in version 4.3 are needed. Schedules created using HIDS v4.2 do not need to be migrated. NOTE: If you are migrating schedules created using HIDS v3.1, you must first upgrade to HIDS v4.0 and convert them to HIDS v4.
PAGE 20
Table 2-3 Software Depots Depot Contents • • For an HP-UX 11i system supporting the HIDS administration • and agent software • 11i Admin+Agent Depot /var/depot/ ids_11i_admin+agent • • • • Required system patches Required Java patches J2SE 5.0 IDS.IDS-ADM-RUN and IDS.IDS-ADM-SHLIB subproduct IDS.IDS-AGT-RUN subproduct IDS.IDS-ENG-A-MAN subproduct IDS-KRN subproduct OpenSSL product • Required Java patches /var/depot/ids_11i_admin For an HP-UX 11i system supporting the HIDS administration • J2SE 5.
PAGE 21
NOTE: 5. Using the instructions on the Web site, download the patches listed in Table 2-5 (for HP-UX 11iv2) into /var/tmp/idspatch_11i. NOTE: • • 6. You must be registered before you can download patches. Note the following: Some patches might have dependency patches; patches that must be installed first. Click the dependency links and download the dependency patches as well. Some patches might be superseded. You can choose the patch listed in Table 2-5 (for HP-UX 11iv2), or the superseded patch.
PAGE 22
Get the HP-UX HIDS Product HP-UX HIDS version 4.3 for HP-UX, 11i v2 and HP-UX 11i v3 is available from the HP Software Depot (http://software.hp.com) From the HP-UX 11i v2 and HP-UX 11i v3 System Versions Refer to the HP-UX 11i Version 2 Installation and Update Guide or HP-UX 11i Version 3 Installation and Update Guide for information on installing HIDS with a system installation or upgrade.
PAGE 23
2. Do the following: Locate the HP-UX 11i Application Release CD that contains the HP-UX HIDS product bundle and load it into your CD reader. In this procedure it is mounted on /SD_CDROM. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # # swcopy -x enforce_dependencies=false -s /SD_CDROM HPUX-HIDS.IDS-KRN HPUX-HIDS.IDS.IDS-AGT-RUN HPUX-HIDS.IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent b.
PAGE 24
Get Patches for Java 1. 2. 3. Log in as superuser (root) on the depot system. See “Create the Depot Directory” (page 20). Create a directory in which you can save the patches and make a depot. This procedure uses /var/tmp/javapatch. Open the HP Java Website: http://www.hp.com/go/java, 4. 5. 6. Click on the patches link. Take note of the patches that you need, based on your administration system. Open the HP Support Website: http://itrc.hp.com, 7. Click on individual patches.
PAGE 25
7. Transfer the software to the administration depot using one of the following steps: a. • 11i Admin Depot If your administration system will not be running an agent, copy the 11i Java software into the ids_11i_admin depot: # swcopy -x enforce_dependencies=false -s /var/tmp/jre15_15001_1111.depot * @ /var/depot/ids_11i_admin b.
PAGE 26
NOTE: In the following procedure, swinstall does not reinstall any patches or applications that are already installed. You can ignore messages to that regard. The software you need will be installed properly.Do not reinstall any patches without consulting HP Support first. The swinstall option -x autoreboot=true in the following procedure ensures that any software that requires a system reboot will be installed. If none of the installed software requires a reboot, the system will not be rebooted.
PAGE 27
Will Installing HP-UX HIDS Version 4.3 Reboot My Agent System? The installation scripts for HP-UX HIDS try to avoid unnecessary system reboots. However, in some circumstances, a system reboot might be required. Those circumstances are (in order of priority): 1. 2. 3. If you choose the Reinstall Filesets option in the graphical interface to swinstall, all HIDS filesets will be installed, and a system reboot will occur.
PAGE 28
Optional You might also need to complete one or more of the following steps: • Configuring a multihomed agent system If you have an agent system with more than one IP address, you may have to specify the correct address to the agent and administration software. • Configuring a multihomed administration system If you have an administration system with more than one IP address, you may have to specify the correct address to the agent and administration software.
PAGE 29
A HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
PAGE 30
* permission, please contact openssl-core@openssl.org. * * 5. Products derived from this software may not be called * "OpenSSL" nor may "OpenSSL" appear in their names without * prior written permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the * following acknowledgment: * "This product includes software developed by the OpenSSL * Project for use in the OpenSSL Toolkit * (http://www.openssl.
PAGE 31
* copyright notice, this list of conditions and the * following disclaimer. * 2. Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the * following disclaimer in the documentation and/or other * materials provided with the distribution. * 3. All advertising materials mentioning features or use of * this software must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.
PAGE 32
No Disassembly or Decryption. You may not disassemble or decompile the Software without HP’s prior written consent. Where you have other rights under statute, you will provide HP with reasonably detailed information regarding any intended disassembly or decompilation. You may not decrypt the Software unless necessary for the legitimate use of the Software. Transfer. You many transfer your rights under this Agreement to another party on a permanent basis.