HP-UX Host Intrusion Detection System Version 4.4 Release Notes (5900-1612, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

HP-UX Host Intrusion Detection System

Version 4.4 release notes

HP-UX 11i v3

HP Part Number: 5900-1612

Published: April 2011

Volume:

Summary of content (27 pages)

PAGE 1
HP-UX Host Intrusion Detection System Version 4.
PAGE 2
Legal Notices Copyright 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Contents 1 Announcement...........................................................................................5 What is HP-UX HIDS.................................................................................................................5 Compatibility with Previous Versions............................................................................................5 Compatibility with Other Products...............................................................................................
PAGE 4
Administration System.........................................................................................................15 Agent Systems...................................................................................................................15 Dual System......................................................................................................................15 Migrating Schedules from Older Versions of HIDS.......................................................................
PAGE 5
1 Announcement The HP-UX Host Intrusion Detection System Version 4.4 supports monitoring of HP-UX Containers (HP-UX SRP). What is HP-UX HIDS HP-UX HIDS is a host-based HP-UX security product for HP computers running HP-UX 11i. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts. Many types of attacks can bypass network-based detection systems.
PAGE 6
Table 1 HP-UX HIDS Product Compatibility (continued) Product Supported? HP-UX 11i v1 No NIS, NIS+ Yes OpenView Yes ServiceGuard Not tested Third-party Event Monitoring Service (EMS) Not tested Trusted Mode operation Yes Virtual Vault No Localization The HP-UX HIDS software and documentation are not localized in non-English languages.
PAGE 7
NOTE: Logins/Logouts, Failed logins and failed su attempts are not supported in HP-UX Containers (HP-UX SRP). • Complements network-based security solutions and bolsters the overall security of the computing infrastructure. HP-UX HIDS is designed to detect intrusions that network-based security products cannot identify, thereby strengthening the integrity of the host system as the last line of defense.
PAGE 8
IDS Mailing List To receive the latest news about HP-UX HIDS, send an email message to majordomo@hpuxmail.cup.hp.com. Include only the following line in the body of the message: subscribe ids9000-news NOTE: The term ids9000 refers to the previous name of the product. This address is for subscription requests only. Do not send product questions or other inquiries.
PAGE 9
Clarifications Perform Updates Instead of Cold Reinstalls HP-UX HIDS is designed to support updates. If users cold reinstall the newer version by first removing the older version (swremove), two reboots (instead of just one or possibly none) will occur and there is the possibility of losing some configuration data. Do not Change Permissions Do not change the permissions on files and directories owned by ids.
PAGE 10
Example 1 Invalid Modification - Scenario 1 In this example, the GUI Schedule Manager allows the administrator to enter an unequal number of pathnames_X and programs_X pathname groups: pathnames_1 | file1 & file 2 | file3 | file4 programs_1 | prog1 | prog2 However, the administrator will not be able to activate the schedule as there is no corresponding program for file4.
PAGE 11
longer has a connection to that agent. A status command will reestablish a connection to that agent. The idsadmin Tool Cannot Monitor more than one Agent at a Time The idsadmin tool does not monitor or display alerts in near real-time from multiple agents at the same time. The idsadmin tool can only monitor and display alerts from one agent at any given time.
PAGE 12
Then type in the /sbin/init.d/idsagent start commands interactively. Agents and Kernel Parameters The administration System Manager can monitor up to 23 agent systems unless you make kernel parameter changes, as described in Chapter 2, “Configuring HP-UX HIDS,” in the Host Intrusion Detection System Administrator’s Guide. Dropped Kernel Audit Records Depending on the system profile and product configuration, and under heavy loads, HIDS can drop kernel audit records and therefore miss potential intrusions.
PAGE 13
The swverify command reports error after removing the IDS Agent or the IDS Admin Sub-product from a server that has HIDS bundle installed. After installing HP-UX HIDS v4.3 on a server, and if IDS Agent™ (IDS-AGT-RUN fileset) or IDS Admin (IDS-ADM-RUN and IDS-ADM-SHLIB filesets) sub product is removed from the installation, the swverify IDS command report displays the following error message: ERROR: File "/opt/ids/lbin/ssl-tool" missing. ERROR: Fileset "IDS.IDS-AGT-RUN,l=/opt/ids,r=F.04.03.
PAGE 14
2 Installation This chapter provides information about HIDS installation. IMPORTANT: Read this entire chapter before installing or updating to HIDS version 4.4. Introduction HP-UX HIDS version 4.4 bundle can be downloaded from the HP Software Depot Website. The following product versions are supported: • HPUX-HIDS F.04.04 for HP-UX 11i v3 The HIDS software product bundle, HPUX-HIDS, contains the IDS and IDS-KRN products.
PAGE 15
1. 2. 3. 4. 5. 6. 7. Ensure that your administration and agent systems meet the requirements as described in “Hardware and Software Requirements” (page 15). If you want to migrate your existing schedules to HIDS 4.2, complete the steps listed in “Migrating Schedules from Older Versions of HIDS” (page 16). Perform the preinstallation tasks described in “Preinstallation” (page 16). Create software depots for the administration system and the agent systems, as described in “Making Depots” (page 16).
PAGE 16
Migrating Schedules from Older Versions of HIDS Surveillance schedules created using HIDS v3.1 and v4.0 must be migrated before they can be run by HIDS v4.4 agents. Schedules created using HIDS v4.1 do not need to be migrated unless the features introduced in version 4.2 and supported in version 4.4 are needed. Schedules created using HIDS v4.2 and v4.3 do not need to be migrated. NOTE: If you are migrating schedules created using HIDS v3.1, you must first upgrade to HIDS v4.0 and convert them to HIDS v4.
PAGE 17
Table 4 Software Depots Depot Contents 11i Admin+Agent Depot • Required system patches • Required Java patches For an HP-UX 11i system supporting the HIDS administration and • J2SE 5.0 agent software • IDS.IDS-ADM-RUN and IDS.IDS-ADM-SHLIB subproduct /var/depot/ids_11i_admin+agent • IDS.IDS-AGT-RUN subproduct • IDS.IDS-ENG-A-MAN subproduct • IDS-KRN subproduct • OpenSSL product 11i Admin Depot • Required Java patches /var/depot/ids_11i_admin • J2SE 5.
PAGE 18
4. Copy the HP-UX HIDS product to your administration and agent depots, as appropriate. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # swcopy -x enforce_dependencies=false -s /var/tmp/idsprod/HPUX-HIDS_11i.depot IDS-KRN IDS.IDS -AGT-RUN IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent b.
PAGE 19
3. Open the HP Java Website: http://www.hp.com/go/java, 4. 5. 6. Click on the patches link. Take note of the patches that you need, based on your administration system. Open the HP Support Website: http://itrc.hp.com, 7. Click on individual patches. You must be registered before you can download patches. 8. Using the instructions on the Website, download the 11i Java patches into /var/tmp/ javapatch. Some patches might have dependency patches (patches that must be installed first).
PAGE 20
7. Transfer the software to the administration depot using one of the following steps: a. • 11i Admin Depot If your administration system will not be running an agent, copy the 11i Java software into the ids_11i_admin depot: # swcopy -x enforce_dependencies=false -s /var/tmp/jre15_15001_1111.depot * @ /var/depot/ids_11i_admin b.
PAGE 21
NOTE: In the following procedure, swinstall does not reinstall any patches or applications that are already installed. You can ignore messages to that regard. The software you need will be installed properly. Do not reinstall any patches without consulting HP Support first. The swinstall option -x autoreboot=true in the following procedure ensures that any software that requires a system reboot will be installed. If none of the installed software requires a reboot, the system will not be rebooted.
PAGE 22
Table 5 Reboot Matrix (continued) Update from: Update to Version 4.4 Version 4.0 No reboot Version 3.1 No Reboot Postinstallation • The HP-UX startup in progress list should display OK for the Starting HIDS agent entry. • When an agent system reboots after a cold installation, the HP-UX startup in progress list should display N/A for the Starting HIDS agent entry.
PAGE 23
• Working with firewalls If you have firewalls between the administration system and agents systems, you must configure the firewall systems. • Working with NIS If you use NIS, you must configure the NIS master system.
PAGE 24
A HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
PAGE 25
* 5. Products derived from this software may not be called * "OpenSSL" nor may "OpenSSL" appear in their names without * prior written permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the * following acknowledgment: * "This product includes software developed by the OpenSSL * Project for use in the OpenSSL Toolkit * (http://www.openssl.
PAGE 26
* 2. Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the * following disclaimer in the documentation and/or other * materials provided with the distribution. * 3. All advertising materials mentioning features or use of * this software must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.
PAGE 27
detailed information regarding any intended disassembly or decompilation. You may not decrypt the Software unless necessary for the legitimate use of the Software. Transfer. You many transfer your rights under this Agreement to another party on a permanent basis. Your license will automatically terminate upon any transfer of the Software. Upon transfer, you must deliver the Software, including any copies and related documentation, to the transferee.