HP-UX Host Intrusion Detection System Version 4.
Legal Notices Copyright 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license The information contained herein is subject to change without notice.
Contents About This Document...................................................................................10 Intended Audience..................................................................................................................10 New and Changed Information in This Edition............................................................................10 Publishing History...................................................................................................................
3 Getting Started with HP-UX HIDS................................................................37 HIDS Quick Start Guide..........................................................................................................37 Agents..................................................................................................................................38 System Manager....................................................................................................................
Undoing and Redoing Changes...........................................................................................61 Saving a Surveillance Group...............................................................................................61 Configuring Detection Templates...............................................................................................61 Modifying a Property Value in a Template.............................................................................
Selecting with the Mouse................................................................................................92 Simple Version.........................................................................................................92 Detailed Version.......................................................................................................92 Searching for the Next Unseen Entry....................................................................................92 Searching for a String.
Modification of Another User’s File Template............................................................................136 Non-Owned File Being Modified.......................................................................................137 Failed Attempt to Modify Non-Owned Files.........................................................................138 Login/Logout Template..........................................................................................................139 Login/Logout........
Step 1: Analyzing Alerts and Tuning Schedules...............................................................171 Section Related to File Related Alerts.........................................................................173 Section Related to Aggregated Alerts........................................................................173 Section Related to System Alerts...............................................................................174 Using the tune Command....................................
GUI runs out of memory after receiving around 19,000 alerts................................................214 The idsadmin Command needs installed agent certificates.....................................................214 The idsadmin Command notifies of bad certificate when pinging a remote agent.....................214 IDS_checkInstall fails with a kmtune error............................................................................
About This Document This document describes how to configure and administer the HP-UX HIDS software on HP-UX servers and workstations running HP-UX 11i v3. The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
Chapter 2 Configuring HP-UX HIDS: Describes how to configure HP-UX HIDS System Manager and Agent software. Chapter 3 Getting Started with HP-UX HIDS: Provides information about the procedures you must follow to get the System Manager and agents up and running on the administrative and monitored systems. Chapter 4 System Manager Screen: Describes the tasks you can perform using the HP-UX HIDS System Manager screen.
Emphasis Text that is emphasized. Emphasis Text that is strongly emphasized. Term The defined use of an important word or phrase. ComputerOut Text displayed by the computer. UserInput Commands and other text that you type. Command A command name or qualified command phrase. Variable The name of a variable that you may replace in a command or function or information in a display that represents several possible values. [ ] The contents are optional in formats and command descriptions.
1 Introduction This chapter introduces the HP-UX Host Intrusion Detection System (HP-UX HIDS) software, an HP-UX product that enhances the local host-level security within your network.
security solutions have focused on firewalls and web servers, completely ignoring the serious problem that comes from within. Industrial corporate espionage is also a significant threat. How are These Threats Realized? This section discusses the circumstances that lead to some common security problems. Misplaced Trust Trust can be misplaced during any of the following events: • While accessing the website of a specific company, you trust that it is the website of the company you intend to visit.
Excessive Privileges for Simple Tasks A code that runs with privileges (such as root on UNIX® systems, or as administrator on Windows NT® systems) is particularly vulnerable, because a simple bug can have a major impact. Codes are not designed to handle security attacks. Moreover, most codes run with more privileges than it needs to accomplish a task. Often a site installs its web server to run as root, granting it far greater privileges than it needs to serve up websites and CGI scripts.
Encryption does not protect data while it is in the clear (not encrypted) as you process it, for example, preparing a document for printing. Moreover, encryption cannot protect your systems against denial-of- service attacks. Despite all the advantages of encryption, it is only part of an overall security solution. Security Auditing Tools A security auditing tool probes systems and networks for potential vulnerabilities that attackers can exploit, generates a report identifying holes and recommends fixes.
HP-UX HIDS Functionality HP-UX Host Intrusion Detection System (HIDS) is an intrusion detection system that enhances local host-level security within a network. It automatically monitors each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If an intrusion is successful, it can lead to the loss of availability of key systems or compromise system integrity.
HP-UX HIDS Components HP-UX HIDS includes the following components: • System Manager The System Manager is a GUI that enables you to configure, control, and monitor the HP-UX HIDS system. Any intrusions detected are reported as alerts. • Host-based agent The host-based agent gathers system data, monitors system activity, and issues intrusion alerts. • Detection templates Detection templates contain the most commonly encountered system attack patterns.
Figure 1 HP-UX HIDS Components HP-UX HIDS monitors system activity by analyzing data from the following file sources: • Kernel audit data • System log files HP-UX HIDS analyzes this information against its configured attack scenarios. It then identifies possible intrusions and misuse immediately following any suspected activity. The suspected activity simultaneously communicates an alert and detailed information about the potential attack to the HP-UX HIDS System Manager.
surveillance schedule. You can deploy a surveillance schedule on one or more host systems. You can also create different surveillance schedules for one or more systems within your network. Kernel Audit Data Kernel audit logs are generated by a trusted component of the operating system. The audit logs include information about every system call that is executed on the host. The information also includes parameters and outcomes, and is the lowest level of data utilized by HP-UX HIDS.
Data source System data monitored by HP-UX HIDS to detect intrusions. Examples of data sources are the wtmp[s]/btmp[s] and su log files for monitoring logins, logouts, and su attempts, as well as kernel audit records produced by the kernel audit subsystem (IDDS) for monitoring for file system modifications and for signs of other intrusions or misuse. Data Source Process (DSP) A component of the HP-UX HIDS agent that reads the data sources and presents the information for alert calculation.
System Manager GUI The graphical user interface (GUI) through which you control the operations of HP-UX HIDS and where notification of alerts are displayed. Template Properties External values provided as parameters to templates to change a template behavior at run time. Tune Report A report containing a summary of all the unique alerts across multiple agents that are running the same schedule and that includes suggested filtering rules.
2 Configuring HP-UX HIDS This chapter describes how to configure HP-UX HIDS System Manager and the Agent software. For information on installing HIDS, see HP-UX HIDS 4.4 release notes.
Setting Up HP-UX HIDS Secure Communications HP-UX HIDS provides a secure communication environment between the System Manager and the agent processes through the Secure Sockets Layer (SSL) protocol. To ensure secure communication, both the System Manager process that runs on the administration system and the HP-UX HIDS agent process that runs on each participating agent system must have a certificate associated with the agent process.
1. Create the X.509 Certificates To create a certificate for the HP-UX HIDS System Manager process, first generate the ids user locally on the HP-UX HIDS administration system. Only then can the certificates for each of the agent nodes be signed by the HP-UX HIDS administration system. The administration system holds the Root Certification Authority (Root CA) that endorses all other certificates. a. On the administration system, log in as follows: $su - ids b.
$IDS_genAgentCerts In this process, each host name or IP address you enter is checked for validity, using the nslookup command. For more information, see nslookup( 1) . If you enter a host name and nslookup returns a single IP address, the host name and IP address are saved in a temporary file and the key bundle is created. If you enter an IP address and nslookup returns a host name, the host name and IP address are saved in a temporary file and the key bundle is created.
$ IDS_genAgentCerts ==> Be sure to run this script on the IDS Administration host. Generate keys for which host? 2001::db8:100 Generating key pair and certificate request for IDS Agent on 2001::db8:100.... Signing certificate for IDS Agent on 2001::db8:100 ... Certificate package for IDS Agent on 2001::db8:100 is /var/opt/ids/tmp/2001::db8:100.tar.Z Next hostname (^D to quit)? myhost2 Generating key pair and certificate request for IDS Agent on myhost2.... Signing certificate for IDS Agent on myhost2 ...
installation. ******************************************** **************** The agent certificate bundles are generated and stored in the following files: • /var/opt/ids/tmp/myhost1.tar.Z • /var/opt/ids/tmp/myhost2.tar.Z • /var/opt/ids/tmp/15.27.43.6.tar.Z • /var/opt/ids/tmp/2001::db8:100.tar.Z NOTE: The IDS_genAdminKeys and IDS_genAgentCerts commands include options to provide alternate key lengths and alternate expiration dates for the administration and agent certificates.
3. Installing the keys on each host Install the bundle of keys generated for each agent system on that system. Store the agent certificate bundle in the /var/opt/ids/tmp directory. a. Log in as follows: $su - ids b. Change directory to /opt/ids/bin, as follows: $cd /opt/ids/bin c. d. Store the key bundle in a directory, such as /var/opt/ids/tmp. Import the following key bundle: $IDS_importAgentKeys /var/opt/ids/tmp/agentsys.tar.
1. Determine if the agent system is multihomed. Use the nslookup command to determine which IP address corresponds to the host name of the system. If more than one IP address is returned by nslookup, your system is multihomed. If only one IP address is returned, your system is not multihomed. NOTE: 2. No modifications are needed for a system that has only one IP address. Select the interface on which you want the HP-UX HIDS agent to communicate with the administration system.
The HP-UX HIDS agent software is installed on a system named large, that has four network interface cards, each with a unique IP address. Three of the IP addresses are mapped to aliases large1, large2, and large3 as shown by the following commands: $nslookup large ... Addresses: 1.2.3.4, 1.2.5.10, 1.5.6.7, 2001:db8::100 $nslookup large1 ... Address: 1.2.3.4 $nslookup large2 ... Address: 1.2.5.10 $nslookup large3 ...
NOTE: If an HP-UX HIDS agent system, with which the administration system has to communicate, uses an IPv4 address for communication, the administration system must also use an IPv4 address to communicate with that agent. To communicate with IPv6 address agent system, the administration system must also use an IPv6 address. To communicate with the IPv4 and IPv6 agents, the administration system must have both IPv4 and IPv6 address configured. The choice of address depends on your network topology.
REMOTEHOST 192.0.2.4 or REMOTEHOST 2001:db8::100 NOTE: The REMOTEHOST parameter is overridden when you import the certificate bundle with IDS_importAgentKeys. 13. Save the file with your modifications. 14. If the agent is running, force it to reread its configuration file, as described in “Forcing Active Agent to Reread Configuration File” (page 186).
6. Set the value of INTERFACE in idsgui to the following: INTERFACE=127.0.0.1 7. 8. Start the System Manager. For more information, see “Starting the HP-UX HIDS System Manager” (page 42). On the Host Manager screen, set up the administration system as an agent system, using 127.0.0.1 as its IP address. For more information, see “Adding a New Host Manually” (page 80) and “Modifying a Host” (page 83).
By default, max_thread_proc is set to its minimum value, 64, which allows for 23 agents. The maximum value of max_thread_proc is governed by the configurable kernel parameter nkthread, which you can increase if you have a larger number of agents. NOTE: The max_thread_proc is a dynamic tunable in HP-UX 11i version 1.6 and later. In earlier versions of HP-UX, a change to this parameter requires a reboot.
1. To view the current value, enter the following command: # ndd -get /dev/tcp tcp_conn_request_max If this value is 20, or some number smaller than the number of agent systems, then proceed to Step 2 and adjust it to the number of agents you plan to monitor, or greater. 2. To change the value, log in as root and modify the /etc/rc.config.
3 Getting Started with HP-UX HIDS This chapter provides an overview of the operation HP-UX HIDS and the procedures used to get the System Manager and agents up and running on the administrative and monitored systems. This chapter addresses the following topics: • “HIDS Quick Start Guide.
Agents The HP-UX HIDS agent software must be running continually on the systems you are monitoring for it to detect and report intrusions as they occur. When an agent is running a schedule, it records intrusion alerts and agent program errors in local log files. When the System Manager is running on the administration system, and is monitoring the agent, alerts and errors are transferred to log files on the administration host.
5. 6. 7. 8. 9. Go to the Schedule Manager screen and create surveillance schedules, or use the predefined schedules. For more information, see “Using the Schedule Manager Screen” (page 51). Go to the Host Manager screen and select the agent hosts you want to monitor. These are the systems you started idsagent on in step 3. As described in “Setting Up HP-UX HIDS Secure Communications” (page 24), the certificate script may have provided you with a selection of agent hosts.
• Network Node The Network Node screen displays the alerts and error messages that have been generated by an agent. Each agent is displayed on a separate screen. For more information, see Chapter 7: “Using the Network Node Screen” (page 89). • Preferences The Preferences screen enables you to specify operational parameters for the columns that will be presented on the System Manager screen, the Host Manager, the Alerts tab, and the Host Manager Errors tab.
4 Using the System Manager Screen This chapter describes the tasks you can perform using the HP-UX HIDS System Manager screen.
Figure 2 System Manager Screen Starting the HP-UX HIDS System Manager The HP-UX HIDS System Manager program, idsgui, must run as user ids. Start it from the shell. To start the HP-UX HIDS System Manager, follow these steps: 1. Log in to the administration system as root. 2. Switch to ids. # su ids 3. Start the HP-UX HIDS System Manager: $/opt/ids/bin/idsgui The System Manager screen is displayed. The screen appears in about 16-20 seconds.
2. On the Exit dialog box, click Yes to exit or No to cancel the exit. Surveillance schedules, surveillance groups, and alert and error logs that have not been saved are saved automatically. Any open screens are closed. Surveillance schedules that are scheduled or running on agents are not affected. System Manager Components The System Manager screen has a number of menus and buttons, which are described in the procedures in the following sections.
Table 5 Status Field Values (continued) Status Value Description Polling The System Manager is communicating with the host. Resyncing The System Manager and agent are resynchronizing. Running The schedule is running on the agent. Scheduled The schedule is waiting for its next active time block on the agent. Status Unknown The System Manager does not know the status of the agent host. Stopping Schedule The agent is stopping its current schedule.
• On each agent host, perform one of the following steps: • Log in to the agent system as root and enter the following command: #/sbin/init.d/idsagent start This starts /opt/ids/bin/idsagent under user ids and activates any schedule that was retained when the agent halted. • Log in to the agent system as root, switch to user ids, and enter the command: $/opt/ids/bin/idsagent -a This starts /opt/ids/bin/idsagent under user ids and activates any schedule that was retained when the agent halted.
2. Select one of the following options: • Click the Status button. • Choose the Actions > Status Poll menu item. • Press Shift+F7. • Right-click in the Monitored Hosts area and select Status Poll from the menu. The System Manager begins polling the selected hosts and returns an updated value in the Status field. These values are described in Table 5 (page 43). If No Agent Available is shown for a host, the agent may not be not running, or is still initializing. Recheck the status later.
2. Select one of the following options to resynchronize: • Click the Resync button. • Choose the Actions > Resync menu item. • Press Shift+F6. • Right-click in the Monitored Hosts area and select Resync from the menu. Any alerts in each agent’s log file that are newer than the last one seen by the System Manager are transferred to the System Manager’s log files. The numbers are updated on the Monitored Hosts list and the alerts and errors are displayed on the Network Node screen for each host.
2. Select one of the following options to stop the schedule: • Click the Stop button. • Choose the Actions > Stop Schedule menu item. • Press Shift+F3. • Right-click in the Monitored Hosts area and select Stop Schedule from the menu The schedules are stopped and removed from the selected hosts. The Status field is set to Available and the Schedule field is set to None. To restart the schedules, you must activate them again. For more information, see “Activating Schedules on Agent Hosts” (page 47).
Procedure 4 To halt the agent locally on the agent host, follow these steps: • On the agent host, perform one of the following steps to halt the agent locally: • Log in to the agent system as root and enter the following command: $ kill -TERM $(cat /var/opt/ids/idsagent.pid) NOTE: • You can also do this as user ids. Log in to the agent system as superuser (root) and enter the command: $/sbin/init.
Network Node Screen The Network Node screen displays the alerts and errors for a selected agent host. To view the Network Node screen for an agent host, follow these steps: 1. 2. On the System Manager screen, in the Monitored Hosts list, select the hosts you want to view. Perform one of the following tasks: • Choose the View > Network Node menu item. • Press Ctrl+B. For each selected host, a Network Node screen appears with the current contents of the host’s alerts and errors log displayed.
5 Using the Schedule Manager Screen This chapter describes how to configure HP-UX HIDS surveillance schedules, surveillance groups, and detection templates.
The Schedule Manager screen comprises of four major parts: • The Configure tab, where you define surveillance schedules, containers, groups, and template properties. For more information, see “Configuring Surveillance Schedules” (page 53),“Configuring to Monitor HP-UX Containers (HP-UX SRP)” (page 57),“Configuring Surveillance Groups” (page 59), and “Configuring Detection Templates” (page 61). • The Timetable tab, where you specify when each surveillance group of a surveillance schedule will run.
• On the System Manager screen, perform one of the following steps: • Choose the Edit > Schedule Manager menu option • Press Ctrl+S. • Double-click anywhere in the Schedules panel or on a schedule name The Schedule Manager screen (Figure 3) is displayed with the Configure tab active.
NOTE: The /etc/opt/ids/schedules/sample directory contains read-only copies of the predefined schedules. Users who want to revert back to the original predefined schedules can manually copy them from /etc/opt/ids/schedules/sample into /etc/opt/schedules. Creating a New Surveillance Schedule This section describes about how to create a new surveillance schedule. To create a new surveillance schedule, follow the steps: 1. Go to the Schedule Manager screen. 2. Create a name for the new surveillance schedule.
3. Create a name for the new surveillance schedule. a. Press the Copy button on the Schedules panel. This opens the Copy Surveillance Schedule dialog box (Figure 5). Figure 5 Copy Surveillance Schedule Dialog b. c. Enter a name in the input field. Valid characters are alphanumeric and underscore; the first character must be alphanumeric. Schedule names are case-sensitive. If you include invalid characters, you will be prompted to replace them with underscores.
2. Open the Rename Surveillance Schedule dialog box (Figure 6) by performing one of the following tasks: • Click the Rename button in the Schedules panel This only changes the names of the schedule and its disk file. The schedule is not saved to disk. • Choose File >Save Selected Schedule As This changes the schedule and file names, and saves the schedule to the disk. Figure 6 Rename Surveillance Schedule Dialog 3. 4. Edit the name in the input field.
3. Save the schedule by using one of the following options: • Click the Save button • Choose File > Save Selected Schedule Configuring to Monitor HP-UX Containers (HP-UX SRP) Container (SRP) configuration is applicable only if the agent is running on a host configured with HP-UX Containers (HP-UX SRPs), and if any or all the Containers need to be monitored by the agent. You can add, edit, modify, or delete Container (SRP) configuration.
3. Create a name for the new Container (SRP) Configuration. a. Click the Copy button on the Container (SRP) Configuration panel. This opens the Copy Container (SRP) Configuration dialog box (Figure 8). Figure 8 Copy Container (SRP) Dialog b. c. Enter a name in the input field. It should be the name of a Container configured on the host that needs to be monitored. Click OK to accept and Cancel to quit the dialog box.
4. 5. Edit the name in the input field. Click OK to change the name and Cancel to leave the name unchanged. Deleting a Container (SRP) Configuration This section provides steps to delete a Container (SRP) Configuration. To delete a Container (SRP) configuration, follow the steps: 1. On the Schedule Manager screen select Configure tab. 2. Select the Container (SRP) configuration in the Container (SRP) Configuration panel. 3. Click the Delete button in the Container (SRP) Configuration panel.
Copying a Surveillance Group If an existing surveillance group is similar to what you want, you can copy the group and rename it, or directly edit the existing group. For example, if you wanted a group to run from 9 a.m. to 5 p.m. Monday through Friday . On Saturday and Sunday, the group must run for 24 hours. To set this schedule for Saturday and Sunday, copy the Monday-Friday group and set a different timetable in the Saturday-Sunday group. To copy a surveillance group, follow the steps: 1.
3. Click the Rename button in the Surveillance Groups panel to open the Rename Surveillance Group dialog box (Figure 12). Figure 12 Rename Surveillance Group Dialog 4. 5. Edit the name in the input field. Valid characters are alphanumeric and underscore. The first character must be alphanumeric. Group names are case-sensitive. If you include invalid characters, you will be prompted to replace them with underscores. Click OK to change the name and Cancel to leave the name unchanged.
The parameters for a template may be configured once the detection template is added to a surveillance group. At this point, you will be able to view all the editable properties. You can also change the default values of these properties. Modifying a Property Value in a Template The values you add, modify, or delete are local to the current group. Other groups can have different values for the same template properties. To change the value of a property in a detection template, follow the steps: 1.
5. If the value is a list (zero or more values in brackets, for example, [0, 1, 5, 11]), the Edit List dialog box is displayed (Figure 14). Figure 14 Edit List Dialog Perform one of the following substeps to add, modify, or delete a value. a. To add a new value 1. Click the Add button. An Edit dialog box is displayed (Figure 15). Figure 15 Edit Dialog - Add 2. 3. b. Enter a value in the text box. In general, the value cannot be null. Click OK to insert the value and Cancel to quit without adding.
3. 4. c. Edit the value in the text box. In general, the value cannot be null. Click OK to accept the new value and Cancel to leave the value unchanged. To delete a current value 1. Highlight one of the values in the Edit List display. If you highlight more than one, the first one is processed. 2. Click the Delete button. The value is deleted. Lists can be empty. Undoing and Redoing Changes You can roll back and forth for the changes you have made by using the Undo and Redo buttons.
List” properties can be used to ignore changes to certain files when they are performed by a known program. The pathnames_to_not_watch property can be used to ignore directories and files where changes to files are not considered as security risks. • The template “Modification of Another User’s File Template” (page 136) generates many alerts if not tuned correctly.
1. Select the Timetable tab of the Schedule Manager screen (Figure 17). Figure 17 Schedule Manager Screen - Timetable Tab 2. 3. 4. 5. 6. Highlight the schedule name in the Schedules panel. The groups that are part of the schedule are displayed in the Selected Groups panel of the Schedule tab. In the Selected Groups panel, highlight one of the groups. The rest of this procedure describes setting the timetable for this group. Repeat the procedure for each group.
7. In the Select Times panel, choose the hour blocks in which the group should run. This is a list, so you can use left-click to pick a hour, Shift-left-click to add in all intervening hours, and Ctrl-left-click to add or remove individual hours. For more information, see “Selecting with the Mouse” (page 92). You can also use: • All to select all 24 hours • None to deselect all 24 hours For example, you could select 01:00 - 04:59, 07:00 - 07:59, and 09:00 - 16:59. 8.
and displayed in the GUI network nodes and logged in the alert log file (defined by the IDS_ALERTFILE configuration variable) of the agent: • File-related aggregated alerts • File-related real-time alerts that could not be aggregated • Non-file-related real-time alerts These alerts are also sent to any response programs in the response directory, as defined by the IDS_RESPONSEDIR configuration variable described in “Global Configuration” (page 187) (the default is /opt/ids/response).
3. 4. Select the Alert Aggregation option box to enable alert aggregation. Select the Real Time Alerts option box to enable the generation of real-time alerts when alert aggregation is enabled. NOTE: When the Alert Aggregation option box is not selected, the Real Time Alerts option box is automatically selected to indicate that real-time alerts will be generated. 5.
Under these conditions, HIDS may only have access to the path name used to invoke the program, and the path name used can either be a relative path name or not be fully resolved. It can contain symbolic links. For example, a program with full path name /usr/bin/program can be invoked as program or as ../bin/program, or as /bin/program, where /bin is a symbolic link to /usr/ bin.
1. Select a schedule in the Schedules panel. Figure 19 Schedule Manager Screen-Miscellaneous Tab 2. 3. 4. Select the Global Properties tab on the Schedule Manager screen. Select the Miscellaneous tab under the Global Properties tab. Select the Monitor Failed Attempts to Create/Modify/Delete Critical Files option. NOTE: 5. By default, this option is disabled. Click Save. The selection will be saved.
Figure 20 The Duplicate Alert Suppression Tab Duplicate Alert Suppression Options Following are the duplicate alert suppression options: • Duplicate Alert Suppression Select or deselect the Duplicate Alert Suppression checkbox to enable or disable duplicate alert suppression. By default, this property is enabled. You can also set this property by editing the ids.cf file. Comment out the following entry in the ids.
• Suppression Interval Use this property to suppress duplicate alerts (for any given alert) until the specified time in the Suppression Interval property has elapsed or the number of duplicate alerts is equal or greater than the Suppression Count property value. The default value of this property is 6 hours. This means that HIDS will suppress duplicate alerts for any given alert over a 6 hour period, unless the number of duplicate alerts for that alert exceeds the value of the Suppression Count property.
1. On the Schedule Manager screen (Figure 21), select the Details tab. Figure 21 Schedule Manager Screen - Details Tab 2. In the Schedules panel, select a schedule. The text version of the surveillance schedule is displayed. If times have not been assigned to groups in the schedule, the display will be very short. Refreshing the Details Display To refresh the display, follow the step given below: • Click on the Refresh button.
1. Perform one of the following tasks: • Click the Save button • Choose File > Save • Enter Ctrl+S The Save dialog box (Figure 22) is displayed. Figure 22 Save Dialog 2. Click OK to save, Cancel otherwise. If you click OK, the File Saved dialog box (Figure 23) is displayed. It shows the full path name that the schedule was saved as. The file is stored in /var/opt/ids/bin/gui/logs; /opt/ids/bin/gui/logs is a symbolic link. The file name is the name of the schedule with a .txt extension.
Table 6 Predefined Surveillance Schedules Surveillance Schedules Surveillance Groups Detection Templates FileAndLoginMonitoringAlwaysOn FileModificationGroup Changes to Log File Template Modification of files/directories Template Creation and Modification of setuid/setgid File Template Creation of World-Writable File Template Modification of Another User’s File Template LoginMonitoringGroup Login/Logout Template Repeated Failed Logins Template Repeated Failed su Commands Template FileLoginLogMonitor
Table 6 Predefined Surveillance Schedules (continued) Surveillance Schedules Surveillance Groups Detection Templates FileModificationsWeekends FileModificationGroup Changes to Log File Template Creation and Modification of setuid/setgid File Template Creation of World-Writable File Template Modification of Another User’s File Template Modification of files/directories Template FileModificationsWorkHours FileModificationGroup Changes to Log File Template Creation and Modification of setuid/setgid Fil
6 Using the Host Manager Screen This chapter describes the tasks you can perform using the Host Manager screen.
Figure 24 Host Manager Screen Closing the Host Manager Screen To close the Host Manager screen, complete the following steps: 1. 2. On the Host Manager screen, choose one of the following options: • Select File > Close. • Press Ctrl+C. If you have modified but not saved the current host list, the Host List Manager Modified dialog box is displayed. Select Yes to save the current list in the current file. The default host list file is /etc/opt/ids/gui/config/sentinal.hosts.
NOTE: HP-UX HIDS uses the IP address to identify and communicate with the agent host. The host name is displayed in the Host fields and is part of the alert and error log file names. As a result, the final value of the Host field can have any value you choose. It is possible to have duplicate host names with different IP addresses. If both refer to different hosts with running agents, their alert and error messages are stored in the same alert and error log files on the administration system.
2. Fill in the Host Name and IP Address fields. There are three ways you can do this, described in order of preference. A host name must start with a letter and contain only letters, digits, periods, underscores, and hyphens. Host names are not case sensitive. For example, xy3-z5 and xy3-z5.a32c.edu. The IP address can be an IPv4 or IPv6 address. An IPv4 address consists of four decimal fields, each in the range 0 to 255, separated by periods. For example 192.0.2.4. IPv6 addresses are in colon notation.
If the host name cannot be determined, the Add Host Error box is displayed with the message, Unknown Host Name - unable to resolve IP Address. Click OK and redo this step, making sure to enter a host name. NOTE: The IP address is the best method for adding a multihomed agent host. For more information, see “Configuring a Multihomed Agent System” (page 29). c. Host Name and IP Address Enter the host name of the agent host in the Host Name field.
1. On the Host Manager screen, perform one of the following steps: • Select Edit > Add Host > Load Hosts List File. • Press Shift+F7. The Open dialog box opens as shown in Figure 28. It defaults to the /var/opt/ids/ gui/logs directory and displays the Host Files. Figure 28 Open Dialog 2. 3. You can change the Files of type: dropdown list to All Files, and use the Look in: dropdown list with the display list to choose the directory where your file resides.
1. On the Host Manager screen, bring up the Edit Host Entry dialog box as shown in Figure 29, and perform one of the following steps: • Double-left-click an entry in the host list. • Select an entry in the host list and select Edit > Edit Host. • Select an entry in the host list and press Ctrl+H. If more than one entry is selected in the host list, the first entry in the list is chosen. Figure 29 Edit Host Entry Dialog 2. 3.
• On the Host Manager screen, click the box in the Monitored column for the entry of the host you want to enable or disable for monitoring. The box displays a check mark if the host is enabled; it is blank if the host is disabled. When an entry is enabled, it is also displayed on the System Manager screen and automatically polled. When it is disabled, it is removed from the System Manager screen.
Figure 31 Add Host Tag Dialog Box 2. 3. Enter a tag name in the input field. The name can contain any printable characters and can be of any length. Spaces are significant. Tag names are case-sensitive. Duplicate tags are discarded when you exit. See Step 3. Click OK to accept the new tag or Cancel to discard it. You return to the Edit Host Tag List dialog box where you can perform more add, edit, and delete operations. Go on to Step 2 or exit and go on to Step 3.
The default host file is /etc/opt/ids/gui/config/sentinal.hosts, which is loaded automatically when the System Manager starts. Saving the Host List in the Current File To save the Host List in the current file, follow these steps: • On the Host Manager screen, perform one of the following steps: • Choose the File > Save menu item. • Press Ctrl+S. The current host list is saved in the current host file.
To load a previously saved host file, follow these steps: 1. On the Host Manager screen, open the Open dialog box as shown in Figure 33, by performing one of the following steps: • Choose the File > Open menu item. • Press Ctrl+O. Figure 33 Open Dialog Box 2. 3. Select a file name in the list. Click Open to open the file, or Cancel to exit without changing host files. The hosts are displayed on the Host Manager screen. The monitored hosts are also displayed on the System Manager screen.
7 Using the Network Node Screen This chapter describes the Network Node screen, which displays alerts and errors for a specified agent host. It addresses the following topics: • “Network Node Screen” (page 89) • “Alerts Tab” (page 90) • “Errors Tab ” (page 91) • “General Operations” (page 92) Network Node Screen The Network Node screen contains lists of alerts and errors that have been detected by the related agent. Click the Alerts or Errors tab to view the lists and details.
• On the Network Node screen, perform one of the following steps: • Choose the File > Close menu item. • Press Ctrl+C. If you made unsaved changes to an open file set, they are saved automatically. Alerts Tab The Alerts tab shown in Figure 34 displays the alerts that were detected by the surveillance schedule on one of the agent host systems. On the Network Node screen, click the Alerts tab.
HP-UX HIDS Alerts Your response to each alert depends on individual circumstances. Develop policies and procedures for handling intrusions. The templates used to generate alerts are described in Appendix A (page 103). For detailed information on the alerts, see Appendix A (page 103). You can create automated alert response programs that are executed automatically when an alert is generated, and pass the information to an analysis system.
General Operations The Alerts and Errors tabs use the same operations to manage their contents, with a few minor differences in labels. Sorting Entries By default, alerts and errors are listed in ascending date/time order. However, you can resort the list by any attribute in either ascending or descending order. Follow one of these steps: • Click the appropriate column header to toggle between ascending and descending order. • Select an item from the Sort menu.
• On Alerts/Errors tab of the Network Node screen, perform one of the following tasks: • Select the Actions > Next Unseen Alert/Error menu item. • Right-click in the list. Select Goto Next Unseen Alert/Error from the menu. • Press Shift+F10. The search begins after the anchor entry. If an unseen entry is found, it is highlighted and other selections are cleared. If only the current entry is unseen or there are no unseen entries, no action is taken.
2. Perform one of the following steps: • Click Delete. • Select the Edit > Delete Selected Alerts/Errors menu item. • Right-click and choose Delete from the menu. • Press Delete. When you delete an entry from the Alerts or Errors tab, it is removed from the memory copy. It is deleted in the log file when you save it to disk. If you do not save, reloading restores the deleted entries.
Alerts and errors are saved at the same time on agent hosts. Alerts go into a file named filesetname_alerts.log. Errors go into a file named filesetname_errors.log. filesetname is the name you assign. NOTE: The Network Node screen title bar indicates how you obtained the data on the screen.
1. 2. 3. To create a new file set named myhost1.backup, enter myhost1.backup in the File Name field. To save the file set you just opened with file set name just opened, click the alert or error file for the set. For example, justopened_error.log. Click Save or press Alt+S to save the alert and error log files. In the examples, in Step 2. 1. The files are named myhost1.backup_alert.log and myhost1.backup_error.log. 2. The files justopened_alert.log and justopened_error.log are overwritten.
3. Click Open or press Alt+O to open the alert and error log files. A new Network Node screen appears with the file set path name in the title bar and the contents of the alert and error logs in the Alerts and Errors tabs. To cancel the open task, click Cancel or press Alt+C. Log File Rotation Log file rotation permits periodic archiving of alerts and errors. Both the alert log file and the error log file are designed to support log file rotation.
8 Using the Preferences Screen This chapter describes operational and display settings that you can set on the Preferences screen. This chapter addresses the following topics: • “General Preferences” (page 98) • “Browser Preferences” (page 99) □ “Alert Events Preferences” (page 99) □ “Error Events Preferences” (page 100) □ “System Manager Preferences” (page 101) The Preferences screen enables you to specify several system operational preferences.
Table 7 General Preferences Tab Option Default Description Automatic Startup Status Poll On When this option is selected (checked), the System Manager automatically polls all the entries in the monitored list for current status whenever the System Manager is restarted. This is equivalent to selecting Actions >Status Poll from the System Manager screen. You can disable this feature if HP-UX HIDS agents are currently not installed or operational on agent hosts.
Figure 40 Alert Events Subtab In Table 8, the column names marked with asterisks (*) correspond to fields in the alert message. Table 8 Alert Events Subtab Column Name Default Description Seen Yes The entry has been seen. Severity * Yes 1: critical; 2: severe; 3: alert. Attacker * Yes User name or IP address of the attacker. Attack Type * Yes Name of the alert. Date/Time Yes Local date and time. Target Host No Name of host where alert was generated.
The Error Events subtab lists the columns that can be displayed on the Errors tab of the Network Node screen. Check the boxes to display the columns. The column names are shown in Figure 41 and described in Table 9. Click an option box to select or deselect the option. Figure 41 Error Events Subtab Table 9 Error Events Subtab Column Name Default Description Seen Yes The entry has been seen. Date/Time Yes Local date and time. Code No Error code number.
Figure 42 System Manager Subtab Table 10 System Manager Subtab Column Name Default Description Status Yes Status of agent host. Host Yes Name of host being monitored. Schedule Yes Name of activated surveillance schedule; None if none. Tag Yes The tag, if any, associated with the host. Total Alerts Yes Total number of alerts in System Manager log file for host. Unseen Alerts Yes Total number of unseen alerts in System Manager log file for host.
A Templates and Alerts This appendix describes the detection templates that constitute the surveillance groups. It also describes the alerts that are passed to the System Manager and to the response programs by the HIDS agent.
Table 11 Detection Templates (continued) Alert Attack Alert Severity File system modification or The following operations were 3 potential modification either unsuccessfully or successfully performed on a read-only file: Detection Template Modification of files/directories Template • Modification of the mode or ownership • Modification of the file content • Creation • Opening the file for writing or appending that may (or may not) be followed by an actual file modification.
Table 11 Detection Templates (continued) Alert Attack Alert Severity Detection Template World-writable file created A file with world-writable 3 permission was created by a privileged user, the world-writable bit was set on an existing file owned by a privileged user, the owner of a world-writable file was changed to a privileged user from a non- privileged user, or a world-writable file owned by a privileged user was renamed from a location that is not being monitored to a location that is being monito
1 2 Higher severity if specified by the severity template property or the log_severity_def global property. For more information about the severity property, see “Log File Monitoring Template” (page 147). For more information about the log_severity_def global property, see “Surveillance Schedule Section” (page 193) Higher severity if specified by an ip_filter property. For more information about the ip_filter property, see “Login/Logout Template” (page 139).
Limitations This section describes the general limitations of the templates. Template specific limitations are discussed in the respective template sections. Following are some general limitations: • No file monitoring templates can filter alerts based on whether a file is local or remote (NFS). • File monitoring templates, by design, do not detect whether the contents of a file were modified. • File-related templates can generate alerts with file relative path names, instead of file full path names.
directory is [not] monitored if its full path name matches a regular expression in the pathnames_to_[not]_watch template property. NOTE: If a file or directory path name matches a regular expression in both the pathnames_to_watch and pathnames_to_not_watch property, then the file or the directory is not monitored.
NOTE: The pathnames_0/programs_0 pair is a special case in which alerts for files specified in pathnames_0 are not generated when the corresponding programs in programs_0 or in any of the program’s child processes or grandchild processes trigger the alert.
IMPORTANT: Specifying a program’s relative path name to ignore alerts is unsafe, whether the path name refers to a script or an executable program. An attacker can construct an attack script or program with the same relative path name, and alerts for that program are filtered if the relative path name is specified as the value in a path names / program pair.
If both of these conditions are met, no alert is issued. Following is an example of this type of property value: user_pairs_to_ignore | root, daemon | 0, bin | root, 3 | 0, 4 In this example, an alert is not triggered if any of the following conditions are met: - If the file owner’s name is root and the effective user ID of the modifying process corresponds to the user name daemon. - If the file owner’s user ID is 0 and the effective user ID of the modifying process corresponds to the user name bin.
d Days w Weeks When the unit component is not present, the integer component is assumed to be in seconds. For example, the following lines in the template configuration file contain time strings representing values of 23 seconds, 10 minutes, 1 hour and 23 seconds; the s component in the last line is redundant, but can be used for clarity. fail_interval | 23 warning_interval | 10m fail_interval | 1h warning_interval | 23s NOTE: You cannot specify the time unit value in the Schedule Manager screen.
Type XI: String The Type XI property value is a literal string. Unlike the Type I property, the Type XI property is not interpreted as a regular expression and only specifies one literal string. The logfile template property of the Log File Monitoring template is a Type XI property that specifies the pathname of a logfile. For example, the following specifies that the syslog.log file should be monitored: logfile | /var/adm/syslog/syslog.
NOTE: In HP-UX 11i v2 and later, comprehensive stack buffer overflow protection, which uses a combination of highly efficient software and existing memory management hardware, protects against both known and unknown buffer overflow attacks without sacrificing system performance. This protection is managed with the executable_stack tunable kernel parameter. You can allow selected programs to execute from the stack by marking them with the -es option of the chatr command.
Table 13 Execute on Stack Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[1] Template code Integer 0 Unique code assigned to the template argv[2] Version Integer Version of the template argv[3] Severity Integer 1 Alert severity argv[4] UTC Time Integer UTC time in number of seconds since epoch when execute-on-stack was detected argv[5] Attacker String uid=, gid=, pid=, ppid= The use
Table 14 Unusual Argument Length Alert Properties (continued) Response Program Argument Alert Field Alert Field Alert Value/Format Type Description argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that executed a privileged setuid program with an unusually long argument length argv[6] Target of Attack String file=, type=, The full path name of the setuid program the attacker executed
Table 15 Argument with Nonprintable Character Alert Properties (continued) Response Program Alert Field Argument Alert Field Type Alert Value/Format Description argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that executed a privileged setuid program with an argument that contains a nonprintable character argv[6] Target of attack String file=, type=, mode=, uid=, gid=
called secure_sid_scripts (5) was introduced with a default value that indicates that the setuid and setgid bits on scripts are ignored by the kernel. The vulnerability can also be exploited if the tunable parameter is configured to honor a privileged script’s setuid and setgid bits in favor of compatibility over security. Refer to the secure_sid_scripts (5) for details. How this template addresses the vulnerability The Race Condition template monitors the file accesses that privileged programs make.
“Type II: Path Names/Programs Pairs” (page 108) for a detailed description of these property pairs.
NOTE: See Table 41 (page 152) and Table 45 (page 154) Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. Privileged setuid Script Executed This template generates and forwards alerts to a response program when a privileged setuid script is executed (either directly or through a symbolic link) and the kernel has honored the setuid bit.
NOTE: See Table 41 (page 152) and Table 45 (page 154) in Appendix B for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without parsing the string alert fields. Limitations The Race Condition template can be CPU intensive because it monitors all file references on the system.
Table 19 File/Directories Template Properties Name Type Default Value pathnames_to_watch I ^/ .rhosts$ | ^/\.shosts$ | ^/\.profile$ | ^/bin/ | ^/sbin/ | ^/usr/bin/ | ^/usr/sbin/ | ^/usr/local/bin/ | ^/lib/ |^/usr/lib/ | ^/usr/local/lib/ | ^/stand/build/dlkm\.vmunix_test/ | ^/stand/vmunix$ | ^/stand/kernrel$ | ^/stand/bootconf$ | ^/stand/system$ | ^/dev/dsk/ | ^/dev/rdsk/ | ^/dev/rmt/ | ^/dev/rsdsi/ | ^/dev/vg[0-9]*/ | ^/dev/idds$ | ^/usr/dt/config/Xconfig$ | ^/tcb/files/devassign$ | ^/etc/rc\.config\.
Table 20 File Being Modified Alert Properties Response Program Argument Alert Field argv[1] Alert Field Type Alert Value/Format Description Template code Integer 2 Unique code assigned to template argv[2] Version Integer Template version argv[3] Severity Integer 2 if file is truncated, potentially Alert severity truncated, deleted, or renamed.3 if file’s mode or ownership is modified, if file is created, or if file is opened for writing or appending.
Table 20 File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description • created the file • created the character special file • created the directory • created the block special file created the pipe (fifo) file • deleted the file • deleted the directory • performed system call on the file argv[9] Event String Following are the possible values: • File ownership modified The event that triggered the alert.
Table 21 Failed Attempt to Modify Read-Only File Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device=) when executing (type=, inode=, device=), invoked as follows: ...
Table 21 Failed Attempt to Modify Read-Only File Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description Following are the possible values: • Failed attempt to change the owner • Failed attempt to change the permissions of • Failed attempt to open for modification/truncation • Failed attempt to open for modification • Failed attempt to rename the file • Failed attempt to overwrite an existing file • Failed attempt to truncate the file • Failed
How this template addresses the vulnerability The template, also known as the Append Only template, monitors a user-defined list of files for attempts to modify them in any way other than appending to them. Specifically, the template monitors a user-specified set of regular files for successful attempts to open a file with write or truncate permission, to delete the file, to rename the file, or to truncate the file. This template does not monitor changes in file ownership or permissions.
Table 23 Append-Only File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[4] UTC time Integer UTC time in number of seconds since the epoch when file was modified argv[5] Attacker String uid=, gid=, pid=, The user ID, group ID, ppid= process ID, and parent process ID of the process that modified the file argv[6] Target of attack String file=, type=, mode=
Failed Attempt to Modify Append-Only Files Table 24 (page 129) lists the alert properties this template generates and forwards to a response program when files monitored by the Changes to Log File template are unsuccessfully modified in a way other than being appended to. All other alert properties for failed attempts are listed in Table 23 (page 127).
NOTE: See Table 41 (page 152) for the definition of additional arguments that can be used to access specific alert information (for example, pid and ppid) without having to parse the string alert fields above. Limitations The Changes to Log File template has the following limitation: • The template cannot distinguish whether a file is created or truncated when creat(2) is invoked.
priv_user_list A list of system-level user IDs or user names. This list contains those users who have elevated access to the system. Removing any of these users means that the setuid/setgid template will not detect the creation of a setuid file owned by one of those users. priv_group_list A list of system-level group IDs or group names. This list contains those groups who have elevated access to the system.
Table 26 Setuid File Created / Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid Detailed alert description the file >(type=, inode=, device (type=, inode=, device=), invoked as follows: ...
Creation of World-Writable File Template The vulnerability addressed by this template Any user on a system can modify a world-writable file. Many of the files owned by the system users (such as root, bin, sys, adm) are used to control the configuration and operation of the system. Allowing regular users to modify these files exposes the system to attacks. A world-writable directory containing system files enables an attacker to replace these files.
Table 27 World-Writable File Template Properties (continued) Property Type Default Value pathnames_X II programs_X II Properties The configurable properties are listed as follows: priv_user_list A list of system-level user IDs or user names. This list contains users that have elevated access to the system. Removing any of these users means that this template does not detect the creation of a world-writable file owned by that users.
Table 28 World-Writable File Created Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid the file > (type=, inode=, device> (type=, inode=, device=), invoked as follows: ...
an alert that a world-writable file is created even though the file already exists, and is opened with the create flag set. • The template cannot always distinguish whether a world-writable file is created, or whether an existing world-writable file is truncated. The template can generate an alert that a file is created, instead of generating an alert that a world-writable file is truncated.
Path names of files that can be safely ignored if they are modified by non-owners. Users running with an effective uid that equals to one of the listed user IDs or corresponds to one of the listed user names can modify files they do not own without generating an alert. It is recommended that this property is left blank unless specifically needed.
Table 30 Non-Owned File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device (type=, inode=, device=), invoked as follows: ...
Table 31 Failed Attempt to Modify Non-Owned File Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device (type=, inode=, device=), invoked as follows: ...
How this template addresses the vulnerability The Login/Logout template monitors the start and end of interactive user sessions.
ip_filters priv_user_list Contains a list of triplets {ip_address, mask,severity}.Filters login alerts and determines the alert’s severity based on which remote host or network the login was made from. If a login’s remote host IP address matches one of the triplet’s IP addresses qualified by the triplet’s network mask, then the alert severity is set to the corresponding triplet’s severity.
Table 33 Login/Logout Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format argv[8] Details String User logged-in on Detailed alert description (REMOTE: )orUser logged-out from a session on argv[9] Event String Following are the possible values: • Login Description The event that triggered the alert.
Table 34 Successful su Detected Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[9] Event String Switch-user (su) The event that triggered the alert.
How this template is configured Table A-25 lists the configurable properties that this template supports. Table 35 Failed Logins Template Properties Name Type Default Value max_failed_login VIII 2 fail_interval VI 10 seconds warning_interval VI 30 seconds priv_user_list III root ids Properties The configurable properties are listed as follows: max_failed_login The number of failed attempts to log in as the same user.
Table 36 Failed Login Attempts Alert Properties (continued) Response Program Alert Field Argument Alert Field Type Alert Value/Format Description argv[4] UTC Time Integer UTC time in number of seconds since the epoch when number of failed logins were detected for a particular target login account argv[5] Attacker String Name or IP address of the host from which the user logged in or out.
Limitations The Repeated Failed Logins template has the following limitations: • The template only detects failed logins that are logged to btmp. ◦ The template does not detect failed secure ftp (sftp) logins because the ssh daemon logs failed sftp logins using syslog( 3C) instead of logging them to btmps on HP–UX 11i v2 and HP-UX 11i v3. ◦ The template does not detect failed secure shell (ssh) logins by ssh daemons that do not log failed ssh logins to btmp(s) on HP–UX 11i v2 and HP-UX 11i v3.
Table 38 Repeated Failed Su Attempts Alert Properties Response Program Argument Alert Field Alert Field Alert Value/Format Type Description argv[1] Template code Integer 9 Unique code assigned to template argv[2] Version Integer Template version argv[3] Severity Integer 2 for users listed in the Alert severity priv_user_list property. 3 for all other users.
Table 39 Log File Monitoring Template Properties Name Type Default Value Description logfile XI /opt/apache/logs/error_log The absolute pathname of the log file being monitored. watch X “authentication failure for" Regular expression string patterns that specify log entries of interest. ignore X "user ids" Regular expression string patterns to selectively filter out log entries that matched a "watch" pattern.
NOTE: 106) For more information about regular expressions, see: “UNIX Regular Expressions ” (page Alerts generated by this template Log File Monitoring Table 40 (page 149) lists the alert properties the Log File Monitoring template generates and forwards to a response program when log entries matching a string pattern are detected.
B Automated Response for Alerts This appendix describes how to use response programs to process alerts automatically according to your installation policy. It includes a sample C program, several sample response scripts, and information about a prepackaged response program that communicates with HP OpenView VantagePoint Operations.
How Automated Response Works in HP-UX HIDS This section discusses how the response programs handle the agent alerts. Alert Process When the agent generates an alert, the following actions occur: 1. The agent stores the alert in a local log file with a path name defined by the IDS_ALERTFILE configuration variable. The default is /var/opt/ids/alert.log. For more information, see “The Agent Configuration File” (page 186). 2.
3. 4. 5. If you must transmit alert information to another system, set up your own secure communication process. If a response program has its setuid or setgid bit set, it runs as that effective user or group. It is a good practice to restrict setuid and setgid programs to the absolute minimum necessary. For more information, see “Writing Privileged Response Programs” (page 158).
Table 41 Additional Arguments Passed to Response Programs for Kernel Template Alerts (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[27] Attack Program Owner Integer Owner of the attack program (uid) argv[28] Attack Program Group Integer Group of the attack program (gid) argv[29] Attack Program Inode Integer Inode number of the attack program argv[30] Attack Program Device Integer Device number of the
Table 43 Additional Arguments Passed to Response Programs for File Modification Failed Attempt Alerts Response Program Argument Alert Field Alert Field Type Alert Value/ Format Description argv[36] Error Number Integer Number representing the error. argv[37] System Call Return Value Integer Return value of the system call.
Table 45 Additional Arguments Passed to Response Programs for Race Condition Template Alerts (continued) Response Program Argument Alert Field Alert Data Type Alert Value/Format Description argv[43] Attacked Program Number of Arguments Integer Number of arguments passed to the program under attack (for example, argc) argv[44] Attacked Program Arguments Integer ....
Table 48 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts Response Program Argument 156 Alert Field Alert Field Type Alert Value/Format Description argv [10] The number of alerts Integer in the aggregated alert The number of template alerts aggregated as part of the aggregated alert. argv [11] Attacker process id Integer Process ID (pid) of the attacker.
Table 48 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv [27] Full hostname of remote host String Full hostname of the remote host from which attacker logged in. Set to localhost if the local host or the empty string is not known.
Perl References Use the following references to help write Perl scripts for HP-UX HIDS: • perlsec( 1) in /opt/perl/man. • http://www.perldoc.com/perl5.6/pod/perlsec.html the web version of the manpage • http://security-archive.merton.ox.ac.uk/bugtraq-200002/0114.html, an e-mail archive thread Writing Privileged Response Programs This section describes how to write privileged and unprivileged C response programs.
NOTE: The pathnames below are suggested places to store files. However, they are not delivered as part of HP-UX HIDS, because of the program's security policy implications. Solution A /opt/ids/response/ scriptA.sh /opt/ids/response/misc /opt/ids/response/misc/ privA A non-setuid script with mode 500 and owned by ids:ids A directory with mode 500, owned by ids:ids. A setuid-root program with mode 4550, owned by root:ids Code for scriptA.
exit(0); } } Solution B /opt/ids/response/privB A setuid-root program with mode 4550, owned by root:ids Code for privB program #include #include #include
{ perror(“kill”); exit(1); } fprintf(stderr,”Killed offending process %d n”,pid); /* Turn off root privilege */ if( setresuid(-1, getuid(), geteuid()) == -1) { perror(“setresuid”); exit(1); } } } exit(0); } Solution C /opt/ids/response/privC /opt/ids/response/misc /opt/ids/response/misc/ scriptC.
/usr/bin/mailx -s “$7” ${RECIPIENT} kill -KILL ${pid} fi fi # Exit with no error exit 0 Sample Response Programs The following sections contain examples of C and shell script response programs. Sample C Language Program Source Code This is a sample C language source code for a response program. It is available in /opt/ids/ share/examples/ids_alertResponse.c. Modify the source code below to take appropriate action in response to intrusions. This source code can be compiled with a standard C compiler.
Example 2 Sending Alerts Through e-mail #!/usr/bin/sh # # Sample HP-UX HIDS alert response script # # Send an e-mail to root if a severity 1 alert is received # Replace this comment with the target e-mail address RECIPIENT=”root” # If there is a severity 1 alert then send the details in #e-mail if [ $3 = “1” ] then echo “$8” | /usr/bin/mailx -s “$7” ${RECIPIENT} fi Logging to a Central syslog Server While the HP-UX HIDS System Manager provides a central location for alerts, you can also log alerts to a sys
IMPORTANT: This script requires privilege and must not be installed as a setuid privileged script. This script is for illustration purposes only. For instructions on safely writing a privileged response program, see “Writing Privileged Response Programs” (page 158).
IMPORTANT: This script requires privileges and must not be installed as a setuid privileged script. This script is for illustration purposes only. For instructions on safely writing a privileged response program, see “Writing Privileged Response Programs” (page 158). NOTE: The agent cannot make new connections to the HP-UX HIDS System Manager, and you must log in to the system at the console. Any existing connection remains open, but new connections handled by inetd are refused.
IMPORTANT: This script requires privileges and must not be installed as a setuid privileged script. This script is for illustration purposes only. For instructions on safely writing a privileged response program, see “Writing Privileged Response Programs” (page 158).
Example 7 Taking a Snapshot of Critical System State # !/usr/bin/sh # # Sample HP-UX HIDS alert response script # # Take a snapshot of important system state information # when the intrusion occurred. # State information is stored in a snapshot file with the # UTC time of the intrusion alert appended to it. RECIPIENT=”root” # Set the umask to a “sane” value umask 077 file=”/var/opt/ids/tmp/snapshot.
IMPORTANT: This script requires privilege and must not be installed as a setuid privileged script. This script is for illustration purposes only. For instructions on safely writing a privileged response program, see “Writing Privileged Response Programs” (page 158).
HP Reference For more information, see HP OpenView Operations SMART Plug-In for HP-UX Host IDS Administrators and Users Guide available at: http://www.managementsoftware.hp.com/products/spi/spi_ids/spi_ids_guide_22.pdf OVO Enablement in HP-UX HIDS OVO integration is enabled with two programs that are installed on every agent host defined by the IDS_RESPONSE_DIR configuration variable. By default, they are: /opt/ids/response/send_alert_to_vpo.
C Tuning Schedules and Generating Alert Reports This appendix describes how to tune schedules and generate alert reports using the idsadmin command. This appendix addresses the following topics: • “Tuning Schedules Using the idsadmin Command.” • “Generating Alert Reports Using the idsadmin Command.” Tuning Schedules Using the idsadmin Command The tune command enables you to tune schedules and reduce the number of false positives (alerts that are generated because of normal system activity).
updates the schedule and deploys it over the two agents. The administrator can choose to intervene in this process; however, it is not required. Schedule Tuning Process The process by which a schedule is tuned can be broken down into the following steps: • “Step 1: Analyzing Alerts and Tuning Schedules.
The syntax for the tune command when invoked from the idsadmin command line is as follows: idsadmin [-v[vvv]] -t [OPTIONS] The tune command can also be invoked from the interactive command-line interface as follows: idsadmin> tune [-v[vvv]] -t [OPTIONS] Table 50 describes the various tuning options that you can use with the tune command. Table 50 The tune Command Options Option Description -a, --agent-hosts A comma-separated list of host names or IP host1:[srp1,srp2,......],host2:[srp1,srp2,......]...
NOTE: If you have specified the --tune-no-review option with the tune command, this report is not displayed. The tune command automatically modifies and deploys the schedule without prompting for reviews. The Tune Command Report contains the following additional sections: • “Section Related to File Related Alerts.” • “Section Related to Aggregated Alerts.” • “Section Related to System Alerts.
NOTE: No filters are generated for aggregated alerts, and they cannot be filtered using the idsadmin tune command. Section Related to System Alerts The summary of system alerts contains the following fields: Where: • is the hostname or the IP address of the remote host from which the alert was generated (in the case of a login alert). In the case of a logout alert, it is the terminal from which the user logged out.
Example 9 To tune schedules for two agents without any user interaction % idsadmin –t –a abc.hp.com, xyz.hp.com --tune-no-review This command (invoked from a shell command line) analyzes alerts for the two agents (abc.hp.com, and xyz.hp.com) generated since the timestamp of the last alert to be tuned. The tune command analyzes the alerts, and automatically updates and deploys the updated schedule on these agents. No user interaction is required.
Example 12 Suggested Exact Filters ATTACK PROGRAM| /opt/OV/bin/OpC/opcmon --> (X) | /var/opt/OV/tmp/OpC/monagtp | Filesystem modification or potential modification | 0 | 3 | Wed Oct 11 13:12:46 2006 | 12 | ^/var/opt/OV/tmp/OpC/monagtp$ | ^/opt/OV/bin/OpC/opcmon$ | | 2 In this entry, the tune command displays the filtering rule for alerts that are generated when the opcmon program modifies the /var/opt/OV/tmp/monagtp.
• Generate incremental reports (i.e., report alerts that were generated after the last generated report) • Select alert fields to be displayed in the report • Sort alerts by severity, alert type, or date • Initiate reports from the command line, from an interactive menu, or from a cron job • e-mail the reports to any number of recipients • Generate reports in .html, .txt, and .
Table 51 Reporting Options Supported by idsadmin Option Description -a, --agent-hosts A comma-separated list of host names or IP host1:[srp1,srp2,......],host2:[srp1,srp2,......]...| addresses of agent(s) to monitor and manage, if an agent is configured to monitor HP-UX all | managed Containers (HP-UX SRP). Specify the comma-separated list of Container (SRP) names within square brackets appended to host name or IP address of agent separated by colon.
Table 51 Reporting Options Supported by idsadmin (continued) Option Description --alert-fields A comma-separated list of alert fields to print in a report, where: • hostname — The hostname of the agent that generated the alert. • ipaddr — The host IP address of the agent that generated the alert. • template — The template that generated the alert. • localdate — The local date and time of the event that triggered the alert. • utcdate — The UTC date and time of the event that triggered the alert.
Table 51 Reporting Options Supported by idsadmin (continued) Option Description --e-mail-subject TEXT Used with the --e-mail-to reporting options. Subject line of an e-mail message containing a report. Text must be enclosed in double quotes if it contains white spaces. This option can be specified only from the command line and not from the interactive menu prompt. --end-date YYYYMMDD[HHMMSS] Specifies that only alerts generated on or before the specified date are reported.
Table 51 Reporting Options Supported by idsadmin (continued) Option Description --sort-by date | severity | type The sorted order in which alerts are listed in an alert report. The default is date. --start-date YYYYMMDD[HHMMSS] Specifies that only alerts generated on or after the specified date are reported. The date/time is interpreted as local time on the host on which idsadmin is run, not as the local time on agent host(s).
Example 14 To generate a report for all the managed agents starting from a particular date /opt/ids/bin/idsadmin –r --start-date 20070101 This command generates a report for all the managed alerts starting from January 01 2007. This report is saved as an HTML file in /var/opt/ids/reports/HIDS_Report.html. Figure 44 shows a screenshot of the report in HTML format. Figure 44 Screenshot of the Generated Report in .html Format NOTE: 182 While generating alert reports in .
Example 15 To generate a report for an agent showing only the date and time (local), severity, attacker, target, and to e-mail the report in text format to a specified e-mail address /opt/ids/bin/idsadmin –r –a ariel --alert-fields localdate, severity,attacker,target --report-format text -–e-mail-to admin@xyz.
Example 18 To generate a report for all agents listing only alerts related to failed logins, logouts, and failed su attempts. The report is e-mailed to the specified e-mail address with a customized message and subject line. /opt/ids/bin/idsadmin –r --alert-events flogin, logout, fsu --e-mail-to admin@xyz.com --e-mail-message “HIDS Alert Report Generated” --e-mail-subject “Report Dated Mar 23 2007” Example 19 To generate a report for all agents listed in the sentinal.
Example 20 To generate a report for an agent configured to monitor HP-UX Containers (HP-UX SRP). /opt/ids/bin/idsadmin -r --start-date 200110101 --report-type persrp —a :[init,srp01,srp02] This command generates a report for an agent configured to monitor Containers 'init', 'srp01', 'srp02' starting from January 01 2011. This report is saved as a HTML file in /var/opt/ids/ reports/HIDS_Report.html in a persrp format.
D The Agent Configuration File This appendix describes the user-configurable options that can be modified in the HP-UX HIDS agent configuration file, which is located in /etc/opt/ids/ids.cf.
Global Configuration The Global section is bracketed by the [global]...[END] keywords. Only the parameters in Table 52 may be edited. CAUTION: Do not edit any other variables between [global] and its [END] tag. Table 52 Global Configuration Variables Name Default Value IDS_ALERTFILE /var/opt/ids/alert.log IDS_ERRORFILE /var/opt/ids/error.
Table 53 Correlator Configuration Variables Name Default Value CMDLINEARGS ““ AGGREGATION “not set” CMDLINEARGS Used to pass command line options to the idscor process. To measure the average system call event rate on a host for the system calls monitored by HIDS, while running a particular set of detection templates, set the value to -t where is the number of events over which the rate is calculated. For example, -t 100000 calculates the event rate for every 100,000 events.
The first entry, for the system log DSP which monitors various system log files, has no modifiable parameters. The second entry is for the kernel audit data DSP. CAUTION: Do not edit any variables in the system log DSP section (between [DSP] NAME idskernDSP and its [END] tag). Kernel Audit Data DSP In the section beginning with [DSP] NAME idskernDSP only the parameters in Table 54 may be edited. CAUTION: tag.
Gather status information on numbers of audit records read or written but still block the kernel. Do not drop audit records in the kernel but a read of /dev/idds will return immediately if no data is available. IDDS_MODE 4 Gather status information on numbers of audit records read or written but still block the kernel. IDDS_MODE 7 Gather status information, but do not block the processes. Instead, audit records will be dropped if there is no space to read them into.
IDS_SSL_TIMEOUT REMOTEHOST The timeout value in seconds for the agent to complete a Secure Sockets Layer handshake with the administration system. The IP address or host name associated with the administration system's network interface card. This entry is set to the host name passed to the IDS_importAgentKeys script when the script is run. See “Configuring a Multihomed Administration System” (page 31) and “Setting Up HP-UX HIDS Secure Communications” (page 24).
E The Surveillance Schedule Text File This appendix describes the surveillance schedule in text format to enable administrators to edit surveillance schedules using their preferred editor, instead of using the GUI Schedule Manager, for those administrators who want to automate the activation of surveillance schedules (using scripts) instead of using the GUI System Manager.
NOTE: All schedule files must be located in /etc/opt/ids/schedules. Surveillance Schedule Text File The surveillance schedule text file has two main sections: • Surveillance Schedule Section: A section that defines global properties of a schedule that are not specific to any Surveillance Group or Template. There can only be one Surveillance Schedule section in a surveillance schedule text file.
• aggr_tuples: The aggr_tuples property is a set of alert aggregation tuples that can be configured to aggregate alerts triggered by a process running a specified program with alerts triggered by the process’ descendent processes. The property tuple values are specified using the syntax described in “Type IX: Path Names / Integer Pairs” (page 112) and each tuple is equivalent to a row in the Schedule Manager Alert Aggregation table described in “Configuring Alert Aggregation” (page 67).
using the syntax described in “Type VII: Flags” (page 112) and is equivalent to the Schedule Manager Monitor Failed Attempts To Create / Modify / Delete Critical Files option described in “Configuring Monitor Failed Attempts” (page 70). The property set to “1” is equivalent to the Monitor Failed Attempts To Create / Modify / Delete Critical Files option box that is selected in the GUI Schedule Manager.
in the schedule file enable you to specify varying start and end times for the same group on different schedules. 196 • The name in the GROUPPERIOD NAME keyword and the name of the group file located in the groups subdirectory must match (not including the file extension) and they must be unique across all surveillance group names specified in the surveillance schedule text file.
Example 21 A Sample Surveillance Schedule Text File Following sample surveillance schedule text file illustrates the usage of different keywords in a schedule : SCHEDULE TestSched GLOBALS aggregation | 1 rt_alerts | 0 aggr_tuples | ^/usr/lbin/swagent$ , 28800 suppression | 1 suppression_report | 1 suppression_interval | 6h suppression_count | 100 suppression_targets_to_ignore | ^/etc/passwd$ | ^/etc/group$ | ^/stand/vmunix$ | ^/stand/system$ | ^/\.rhosts$ | ^/etc/inetd\.
Example 22 A Sample Surveillance Schedule Text File Following sample surveillance schedule text file illustrates the usage of different keywords in a schedule for an HP-UX Container (HP-UX SRP) configuration for Global Container (init) and a system Container (srp1): SCHEDULE TestSched GLOBALS aggregation | 1 rt_alerts | 0 aggr_tuples | ^/usr/lbin/swagent$ , 28800 suppression | 1 suppression_report | 1 suppression_interval | 6h suppression_count | 100 suppression_targets_to_ignore | ^/etc/passwd$ | ^/etc/gro
F Error Messages This appendix describes errors and messages that may be produced by the Agent and System Manager programs. This appendix addresses the following topics: • “Agent Messages” (page 199) • “System Manager Messages” (page 203) Agent Messages This section describes error messages that are displayed on agent systems. NOTE: These messages are produced by agent processes. If you see a message that is not described and you cannot resolve the problem, contact HP support.
Table 56 Agent Error Messages (continued) Error Message Meaning Action idsagent: failed to reopen stderr in An internal error occurred while attempting Contact HP support. append mode to reopen error reporting. The per-process limit on file descriptors may have been reached. idsagent: failed to start group The idsagent encountered an error while Contact HP support. attempting to activate a surveillance group.
Table 56 Agent Error Messages (continued) Error Message Meaning Action idsagent: could not get latest stat info on log file file If a log file created by idsagent has been Verify that the log file is owned by user:group ids:ids; that the ids user changed, then idsagent attempts to has read and write permissions on reopen it. The open attempt failed. the file; and that its parent directory has read and write permissions.
Table 56 Agent Error Messages (continued) Error Message Meaning Action idsagent: logfile file was changed If a log file created by idsagent was and cannot be reopened changed, then idsagent attempts to reopen it. The open attempt failed. Verify that the log file is owned by user:group ids:ids, that the ids user has read and write permissions on the file, and that its parent directory has read and write permissions.
Table 56 Agent Error Messages (continued) Error Message Meaning Action idssysdsp: NOTE: inode of file File filename, which is being monitored If the file should not have changed, filename was changed (ok if log by the idssysdsp process, has been moved. treat it as a potential intrusion. rotation expected on this file) This is acceptable if the file has just undergone expected log file rotation.
Table 57 System Manager Error Messages (continued) Error Message Meaning Action In order to activate a Surveillance Schedule, selected hosts must have a status of Ready, Scheduled, or Running. The host was in an invalid state for the selected action. Before activating a surveillance schedule, ensure that the selected hosts are in ready, scheduled, or running state. In order to delete host list entries, the scheduled or running surveillance schedule must first be manually stopped.
Table 57 System Manager Error Messages (continued) Error Message Meaning Action Select node(s) to resync. A resync of nodes was requested without Select a node before attempting to selecting a node. resynchronize with agent associated with the node. Select node(s) to Stop Schedule. Only schedules associated with a node can be stopped. No node was selected. Select a Surveillance Schedule to Activate. A schedule must be selected before it can Select a surveillance schedule be activated.
Table 57 System Manager Error Messages (continued) Error Message Meaning This host (hostname) has multiple network addresses. The INTERFACE configuration setting in idsgui must specify the hostname/IP address of the interface to listen for connections from agents or 0.0.0.0 or :: to listen on all interfaces.
Table 57 System Manager Error Messages (continued) Error Message Meaning Action Unknown Host - unable to resolve IP Address IPaddress. The IP address of the host, which you tried Ensure that the correct IP address is to add, could not be resolved. used for the host. Unknown IP Address - unable to resolve Host Name The host name for the agent that you tried Check the host name of the host. to add could not be resolved.
G Troubleshooting This appendix describes various steps you can take in resolving problems on the agent and administrative systems.
• “Using HP-UX HIDS with IPFilter and SecureShell” (page 218) • “Unable to Generate Administrator Keys and Agent Certificates on PA–RISC 1.1 Systems” (page 220) Troubleshooting This section describes a variety of potential problems and their solutions. To stay current with product updates and patches, be sure to monitor the HP security software news and events web site at www.hp.com/security.
Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present □ If your lsdev result shows /dev/idds is present, and yet the idsagent debug-enabled log file (run with /opt/ids/bin/idsagent -d -l log_file_name) complains about idds not being enabled, it is probable that there is an installation or kernel-build error.
Agent halts abnormally, leaving ids_* files and message queues □ If a running agent was not halted as described in “Halting HP-UX HIDS Agents” (page 48) (for example, the agent was stopped with kill -9), then you need to clean up the message queues, which the agent uses for interprocess communication (IPC). This is important because the kernel has a limited number of message queues that IDS and other applications need in order to run.
Agent does not start after installation □ Verify that there are no errors from the install: /var/adm/sw/swagent.log □ Be sure the product has been run as user ids. (No other user will work.) □ Verify that all keys have been generated as described in “Setting Up HP-UX HIDS Secure Communications” (page 24). □ Run /opt/ids/bin/IDS_checkInstall to verify that all required patches have been installed properly prior to installing IDS. IDS_checkInstall should be run on an OS where IDS is installed.
Alert date/time sort seems inconsistent □ Two factors come into play in this seeming inconsistency: First, the agent’s date/time stamp is based on the local host time when the alert was received. Second, the time the System Manager uses to sort the alert is based on the UTC when the alert actually occurred. Under normal circumstances, these two times are identical. On occasion, however, there may be a difference depending on internal processing time, which may make the alert list inconsistent.
Getting several aggregated alerts for the same process Problem: Alerts generated by a process running a program specified in an alert aggregation tuple are being aggregated into several aggregated alerts. Cause: The maximum alert delay specified in the alert aggregation tuple for the program being run by this process is too small. Action: Increase the maximum alert delay in the alert aggregation tuple to aggregate over a longer period of time.
comm_write_msg: Error writing message, errno==607: Error during SSL handshake Use IDS_checkAgentCert to get the validity duration of the agent certificate, and compare it with the system time of the agent host. If the certificate is not yet valid on the agent host, either adjust the system time of the agent host, or wait until the certificate becomes valid.
Log files are filling up □ The log files on both the agent and the administration systems can grow without bounds. It’s a good idea to practise log file rotation. See “Log File Rotation” (page 186). No Agent Available □ The Status field for an agent on the System Manager screen shows No Agent Available. See also “Agent and System Manager cannot communicate with each other” (page 209). 1.
Schedule Manager timetable screen appears to hang □ The visual refresh of the day, time, and surveillance group matrix (which the System Manager maintains in the Schedule Manager timetable screen) is CPU intensive and hence may appear to be slow on some systems. SSH does not perform a clean exit after idsagent is started After starting idsagent from a ssh login, logging out of the agent system results in the ssh session hanging indefinitely.
System Manager starts with no borders or title bar in X client programs on Windows □ This sometimes happens when Reflection X (or other X client programs on Microsoft Windows) has been running for a while. Quit, restart the program, relogin to your HP-UX HIDS administration system, and restart the System Manager. If the problem persists, contact HP support.
pass in quick proto tcp from any to any port = hpidsagent keep state 2. HP-UX HIDS System Manager listens on port hpidsadmin (2984) for incoming connections initiated by HP-UX HIDS agents. If the host running IPFilter is also running an HP-UX HIDS System Manager, then allow incoming connections initiated by HP-UX HIDS agents. pass in quick proto tcp from any to any port = hpidsadmin keep state 3. HP-UX HIDS System Manager uses ephemeral ports to send requests to agent host’s port hpidsagent.
‘MIT- MAGIC-COOKIE-1’ vs. ‘’. X11 connection rejected because of wrong authentication at Tue Dec 31 15:11:30 2002. Rejected connection at Tue Dec 31 15:11:30 2002: X11 connection from ::ffff:15.27.232.106 port 56861 xsvr3: Channel 0 closes incoming data stream. xsvr3: Channel 0 closes outgoing data stream. xsvr3: Channel 0 sends oclosed. xsvr3: Channel 0 sends ieof. xsvr3: Channel 0 receives input eof. xsvr3: X problem fix: close the other direction. xsvr3: Channel 0 receives output closed.
to JAVA_MINOR_NUM_MAX="4" These changes ensure that idsgui uses only Java 1.4.x. NOTE: The GUI might run with some limitations with Java 1.4.x. Numerous warnings or errors in /var/opt/ids/gui/logs/Trace.log and /var/opt/ids/gui/guiError.log may result in very large files that can a consume considerable amount of disk space.
H HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS * OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE.
* "This product includes software written by Tim * Hudson (tjh@cryptsoft.com)" * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS * '' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED.
Export Requirements You may not export or re-export the Software or any copy or adaptation in violation of any applicable laws or regulations. U.S. Government Restricted Rights The Software and any accompanying documentation have been developed entirely at private expense. They are delivered and licensed as "commercial computer software" as defined in DFARS 252.227-7013 (Oct 1988), DFARS 252.211-7015 (May 1991) or DFARS 252.227-7014 (Jun 1995), as a "commercial item" as defined in FAR 2.
