HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
Agent does not start after installation
□ Verify that there are no errors from the install: /var/adm/sw/swagent.log
□ Be sure the product has been run as user ids. (No other user will work.)
□ Verify that all keys have been generated as described in “Setting Up HP-UX HIDS Secure
Communications” (page 24).
□ Run /opt/ids/bin/IDS_checkInstall to verify that all required patches have been
installed properly prior to installing IDS. IDS_checkInstall should be run on an OS where
IDS is installed. If patches are missing, uninstall IDS (swremove), install the patches (see the
HP-UX HIDS 4.4 release notes ), and reinstall IDS (swinstall).
Agents appear to be stuck in polling status
In some instances, the combination of the autostatus and autosync processes leave some agents
in “polling” status. The workaround is to use autostatus only or to perform a manual status to get
the agent display into a known state.
Agent displays error if hostname to IP mapping is not registered in name service
On a multihost system, if the IDS_LISTEN_IFACE parameter in the /etc/opt/ids/ids.cf
agent configuration file is set to an IP address that is not registered with name service, the idsagent
process throws the following error during startup in the /var/opt/ids/error.log file and
then aborts.
idsagent: the IDS_LISTEN_IFACE parameter is specified as:
192.0.2.4
in the configuration file /etc/opt/ids/ids.cf
This is not a valid address or name for this host.
Please change the IDS_LISTEN_IFACE parameter in the [global] section of the configuration file to be a valid
address or namefor this host.
The preferred solution is to modify the name service configuration so that the IP address specified
by theIDS_LISTEN_IFACE parameter maps to the local host name. Otherwise, a workaround is
to set theIDS_LISTEN_IFACE parameter to 0.0.0.0 (or "::" for IPv6) and the agent listens on all
available interfaces
WARNING! By setting the value of IDS_LISTEN_IFACE parameter to 0.0.0.0 (or "::" for IPv6),
the idsagent process will listen on the idsadmin port on all available interfaces. Customer must
evaluate the risk of exposing the idsagent to other interfaces before setting the value of the
parameter IDS_LISTEN_IFACE to 0.0.0.0 (or "::" for IPv6). Limiting the number of ports opened
on interfaces (and hence reducing the system's exposure to attack) is considered a good security
practice.
The same risk is applicable for the idsgui process when INTERFACE is set to 0.0.0.0 ( or "::"
for IPV6) in /opt/ids/bin/idsgui file.
Aggregated alerts targets or details field are truncated and the same aggregated
alert has several entries logged in the IDS_ALERTFILE
Problem: You may notice that the targets field or details field of an aggregated alert are truncated.
You may also notice that the aggregated alert has several entries in the IDS_ALERTFILE.
Cause: The maximum size of a message on an IPC message queue is smaller than the size of the
aggregated alert. The idscor process that generates the alerts and sends alerts to the idsagent
process using an IPC message queue, must therefore send the aggregated alert in chunks. The
idsagent process logs the alert chunks to IDS_ALERTFILE and then sends only the first chunk to
the System Manager.
Action: Increase the value of msgmax and msgmnb kernel tunables, preferably to a value greater
than or equal to the size of the aggregrated alert.
212 Troubleshooting