HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 Abstract This document describes how to configure and administer the HP-UX HIDS software on HP-UX servers and workstations running HP-UX 11i v3. This document is for system managers or administrators, who configure and administer HIDS on HP-UX 11i v3.
Copyright 2011, 2013, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license The information contained herein is subject to change without notice.
Contents HP secure development lifecycle....................................................................10 1 Introduction.............................................................................................11 Importance of Intrusion Detection..............................................................................................11 Who are the Perpetrators?..................................................................................................11 How are These Threats Realized?....
Using the System Manager Screen..............................................................38 Starting the HP-UX HIDS System Manager..................................................................................39 Stopping the HP-UX HIDS System Manager................................................................................39 System Manager Components..................................................................................................40 Starting HP-UX HIDS Agents..................
Configuring Monitor Failed Attempts.........................................................................................67 Configuring Duplicate Alert Suppression....................................................................................68 Duplicate Alert Suppression Options.....................................................................................69 Viewing Surveillance Schedule Details.......................................................................................
Alert Events Preferences......................................................................................................95 Error Events Preferences......................................................................................................96 System Manager Preferences...............................................................................................97 9 Support and other resources......................................................................
Repeated Failed su Commands Template.................................................................................143 Repeated Failed su Attempts..............................................................................................144 Log File Monitoring Template.................................................................................................145 Log File Monitoring..........................................................................................................
D The Agent Configuration File....................................................................182 The Agent Configuration File..................................................................................................182 Forcing Active Agent to Reread Configuration File................................................................182 Log File Rotation..............................................................................................................182 Global Configuration............
System Manager starts with no borders or title bar in X client programs on Windows................213 System Manager times out on agent functions such as Activate and Status Poll.........................213 UNKNOWN program and arguments in certain alert messages............................................213 Using HP-UX HIDS with IPFilter and SecureShell....................................................................213 IPFilter rules for HP-UX HIDS.......................................................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 Introduction This chapter introduces the HP-UX Host Intrusion Detection System (HP-UX HIDS) software, an HP-UX product that enhances the local host-level security within your network.
How are These Threats Realized? This section discusses the circumstances that lead to some common security problems. Misplaced Trust Trust can be misplaced during any of the following events: • While accessing the website of a specific company, you trust that it is the website of the company you intend to visit. • When you download product data from a website, you trust that it is accurate.
greater privileges than it needs to serve up websites and CGI scripts. Web servers that run as root are easy targets for attack. CGI scripts are easily accessible, and any individual can gain complete root privileges to such systems. Springboards to Attack the Next Target Even if you are not attacked, your company systems can be used to launch an attack on other victims on the Internet.
Security Auditing Tools A security auditing tool probes systems and networks for potential vulnerabilities that attackers can exploit, generates a report identifying holes and recommends fixes. Whenever the system administrator finds the holes, he or she must quickly patch them before they are exploited. If a security audit tool used is executed or run regularly, it is a valuable tool to handle security threats or attacks.
HP-UX HIDS continuously examines ongoing activity on a system, and it seeks out patterns that suggest security breaches or misuses. Security threats or breaches can include attempts to break into a system, subversive activities, or spreading a virus. Once you activate HP-UX HIDS for a given host system and it detects an intrusion attempt, the host sends an alert to the administrative interface where you can immediately investigate the situation, and when necessary, take action against the intrusion.
• Data-gathering components HP-UX HIDS comprises modules that gather and format information from data sources at various points within the system. Kernel audit data and system log data are the data sources. HP-UX HIDS uses these components to monitor all resources within the network. • Correlation engine HP-UX HIDS uses a correlation process that takes data from system data sources and determines whether an alert must be issued.
HP-UX HIDS monitors system activity by analyzing data from the following file sources: • Kernel audit data • System log files HP-UX HIDS analyzes this information against its configured attack scenarios. It then identifies possible intrusions and misuse immediately following any suspected activity. The suspected activity simultaneously communicates an alert and detailed information about the potential attack to the HP-UX HIDS System Manager.
Agent system/Agent host/Agent node A system node in a network that is configured to run the HP-UX HIDS agent program. The agent system is also known as the agent host or the agent node. Aggregated alert An alert that contains the aggregation of two or more file related real-time alerts that are triggered by the same process or by a group of related processes.
Managed host A host that is actively managed by the HIDS Administrative GUI or CLUI. Open View Operations (OVO) A distributed client and server software solution designed to detect, solve, and prevent problems occurring in networks, systems, and applications in any enterprise. OVO is a scalable and flexible solution that can be configured to meet the requirements of any IT organization and its users.
2 Configuring HP-UX HIDS This chapter describes how to configure HP-UX HIDS System Manager and the Agent software. For information on installing HIDS, see HP-UX HIDS 4.7 Release Notes.
Setting Up HP-UX HIDS Secure Communications HP-UX HIDS provides a secure communication environment between the System Manager and the agent processes through the Secure Sockets Layer (SSL) protocol. To ensure secure communication, both the System Manager process that runs on the administration system and the HP-UX HIDS agent process that runs on each participating agent system must have a certificate associated with the agent process.
1. Create the X.509 Certificates To create a certificate for the HP-UX HIDS System Manager process, first generate the ids user locally on the HP-UX HIDS administration system. Only then can the certificates for each of the agent nodes be signed by the HP-UX HIDS administration system. The administration system holds the Root Certification Authority (Root CA) that endorses all other certificates. a. On the administration system, log in as follows: $su - ids b.
In this process, each host name or IP address you enter is checked for validity, using the nslookup command. For more information, see nslookup( 1) . If you enter a host name and nslookup returns a single IP address, the host name and IP address are saved in a temporary file and the key bundle is created. If you enter an IP address and nslookup returns a host name, the host name and IP address are saved in a temporary file and the key bundle is created.
$ IDS_genAgentCerts ==> Be sure to run this script on the IDS Administration host. Generate keys for which host? 2001::db8:100 Generating key pair and certificate request for IDS Agent on 2001::db8:100.... Signing certificate for IDS Agent on 2001::db8:100 ... Certificate package for IDS Agent on 2001::db8:100 is /var/opt/ids/tmp/2001::db8:100.tar.Z Next hostname (^D to quit)? myhost2 Generating key pair and certificate request for IDS Agent on myhost2.... Signing certificate for IDS Agent on myhost2 ...
installation. ******************************************** **************** The agent certificate bundles are generated and stored in the following files: • /var/opt/ids/tmp/myhost1.tar.Z • /var/opt/ids/tmp/myhost2.tar.Z • /var/opt/ids/tmp/15.27.43.6.tar.Z • /var/opt/ids/tmp/2001::db8:100.tar.Z NOTE: The IDS_genAdminKeys and IDS_genAgentCerts commands include options to provide alternate key lengths and alternate expiration dates for the administration and agent certificates.
3. Installing the keys on each host Install the bundle of keys generated for each agent system on that system. Store the agent certificate bundle in the /var/opt/ids/tmp directory. a. Log in as follows: $su - ids b. Change directory to /opt/ids/bin, as follows: $cd /opt/ids/bin c. d. Store the key bundle in a directory, such as /var/opt/ids/tmp. Import the following key bundle: $IDS_importAgentKeys /var/opt/ids/tmp/agentsys.tar.
1. Determine if the agent system is multihomed. Use the nslookup command to determine which IP address corresponds to the host name of the system. If more than one IP address is returned by nslookup, your system is multihomed. If only one IP address is returned, your system is not multihomed. NOTE: 2. No modifications are needed for a system that has only one IP address. Select the interface on which you want the HP-UX HIDS agent to communicate with the administration system.
The HP-UX HIDS agent software is installed on a system named large, that has four network interface cards, each with a unique IP address. Three of the IP addresses are mapped to aliases large1, large2, and large3 as shown by the following commands: $nslookup large ... Addresses: 1.2.3.4, 1.2.5.10, 1.5.6.7, 2001:db8::100 $nslookup large1 ... Address: 1.2.3.4 $nslookup large2 ... Address: 1.2.5.10 $nslookup large3 ...
NOTE: If an HP-UX HIDS agent system, with which the administration system has to communicate, uses an IPv4 address for communication, the administration system must also use an IPv4 address to communicate with that agent. To communicate with IPv6 address agent system, the administration system must also use an IPv6 address. To communicate with the IPv4 and IPv6 agents, the administration system must have both IPv4 and IPv6 address configured. The choice of address depends on your network topology.
REMOTEHOST 192.0.2.4 or REMOTEHOST 2001:db8::100 NOTE: The REMOTEHOST parameter is overridden when you import the certificate bundle with IDS_importAgentKeys. 13. Save the file with your modifications. 14. If the agent is running, force it to reread its configuration file, as described in “Forcing Active Agent to Reread Configuration File” (page 182).
INTERFACE=127.0.0.1 7. 8. Start the System Manager. For more information, see “Starting the HP-UX HIDS System Manager” (page 39). On the Host Manager screen, set up the administration system as an agent system, using 127.0.0.1 as its IP address. For more information, see “Adding a New Host Manually” (page 75) and “Modifying a Host” (page 79).
NOTE: The max_thread_proc is a dynamic tunable in HP-UX 11i version 1.6 and later. In earlier versions of HP-UX, a change to this parameter requires a reboot. The max_thread_proc tunable can be modified using SAM (on HP-UX 11i v2 operating systems) or SMH (on HP-UX 11i v3 operating systems). Based on your operating system version, follow one of the procedures listed below to modify this tunable: Procedure 1 To change the value of max_thread_proc on HP-UX 11i v2: 1. 2. 3. 4. 5. 6. 7.
TRANSPORT_NAME[index]=tcp NDD_NAME[index]=tcp_conn_request_max NDD_VALUE[index]=value Where: • index is a shell array index, as described in the file, • value is the value to be assigned. For example, if this is the first entry in the file and you want to set the value of tcp_conn_request_max to 4096 enter the following: TRANSPORT_NAME[0]=tcp NDD_NAME[0]=tcp_conn_request_max NDD_VALUE[0]=4096 The new value is applied on the next system boots. 3.
3 Getting Started with HP-UX HIDS This chapter provides an overview of the operation HP-UX HIDS and the procedures used to get the System Manager and agents up and running on the administrative and monitored systems. This chapter addresses the following topics: • “HIDS Quick Start Guide.
Agents The HP-UX HIDS agent software must be running continually on the systems you are monitoring for it to detect and report intrusions as they occur. When an agent is running a schedule, it records intrusion alerts and agent program errors in local log files. When the System Manager is running on the administration system, and is monitoring the agent, alerts and errors are transferred to log files on the administration host.
5. 6. 7. 8. 9. Go to the Schedule Manager screen and create surveillance schedules, or use the predefined schedules. For more information, see “Using the Schedule Manager Screen” (page 48). Go to the Host Manager screen and select the agent hosts you want to monitor. These are the systems you started idsagent on in step 3. As described in “Setting Up HP-UX HIDS Secure Communications” (page 21), the certificate script may have provided you with a selection of agent hosts.
• Host Manager In the Host Manager screen, you can specify and enable the agent hosts you want to monitor. For more information, see Chapter 6: “Using the Host Manager Screen” (page 74). • Network Node The Network Node screen displays the alerts and error messages that have been generated by an agent. Each agent is displayed on a separate screen. For more information, see Chapter 7: “Using the Network Node Screen” (page 85).
4 Using the System Manager Screen This chapter describes the tasks you can perform using the HP-UX HIDS System Manager screen.
Figure 2 System Manager Screen Starting the HP-UX HIDS System Manager The HP-UX HIDS System Manager program, idsgui, must run as user ids. Start it from the shell. To start the HP-UX HIDS System Manager, follow these steps: 1. Log in to the administration system as root. 2. Switch to ids. # su ids 3. Start the HP-UX HIDS System Manager: $/opt/ids/bin/idsgui The System Manager screen is displayed. The screen appears in about 16-20 seconds.
2. On the Exit dialog box, click Yes to exit or No to cancel the exit. Surveillance schedules, surveillance groups, and alert and error logs that have not been saved are saved automatically. Any open screens are closed. Surveillance schedules that are scheduled or running on agents are not affected. System Manager Components The System Manager screen has a number of menus and buttons, which are described in the procedures in the following sections.
Table 4 Status Field Values (continued) Status Value Description Polling The System Manager is communicating with the host. Resyncing The System Manager and agent are resynchronizing. Running The schedule is running on the agent. Scheduled The schedule is waiting for its next active time block on the agent. Status Unknown The System Manager does not know the status of the agent host. Stopping Schedule The agent is stopping its current schedule.
• On each agent host, perform one of the following steps: • Log in to the agent system as root and enter the following command: #/sbin/init.d/idsagent start This starts /opt/ids/bin/idsagent under user ids and activates any schedule that was retained when the agent halted. • Log in to the agent system as root, switch to user ids, and enter the command: $/opt/ids/bin/idsagent -a This starts /opt/ids/bin/idsagent under user ids and activates any schedule that was retained when the agent halted.
2. Select one of the following options: • Click the Status button. • Choose the Actions > Status Poll menu item. • Press Shift+F7. • Right-click in the Monitored Hosts area and select Status Poll from the menu. The System Manager begins polling the selected hosts and returns an updated value in the Status field. These values are described in Table 4 (page 40). If No Agent Available is shown for a host, the agent may not be not running, or is still initializing. Recheck the status later.
2. Select one of the following options to resynchronize: • Click the Resync button. • Choose the Actions > Resync menu item. • Press Shift+F6. • Right-click in the Monitored Hosts area and select Resync from the menu. Any alerts in each agent’s log file that are newer than the last one seen by the System Manager are transferred to the System Manager’s log files. The numbers are updated on the Monitored Hosts list and the alerts and errors are displayed on the Network Node screen for each host.
2. Select one of the following options to stop the schedule: • Click the Stop button. • Choose the Actions > Stop Schedule menu item. • Press Shift+F3. • Right-click in the Monitored Hosts area and select Stop Schedule from the menu The schedules are stopped and removed from the selected hosts. The Status field is set to Available and the Schedule field is set to None. To restart the schedules, you must activate them again. For more information, see “Activating Schedules on Agent Hosts” (page 44).
Accessing Other Screens You can access the following screens from the System Manager screen. Schedule Manager Screen The Schedule Manager screen enables you to create and modify surveillance schedules. To go to the Schedule Manager screen, follow these steps: 1. On the System Manager screen (optionally) select a schedule in the Schedules panel. 2. Perform one of the following tasks: • Choose the Edit > Schedule Manager menu item. • Press Ctrl+S. • Double-click in the Schedules panel.
Returning to the System Manager Screen If you are on another screen or the System Manager screen is obscured or iconized, you can return to it as follows: • On any other HP-UX HIDS screen, perform one of the following steps: • Choose the View > System Manager menu item, except on the Preferences screen. • Press Ctrl+M, except on the Preferences screen. • Double-left-click the HP-UX HIDS icon on the X Window desktop or in the Icons window.
5 Using the Schedule Manager Screen This chapter describes how to configure HP-UX HIDS surveillance schedules, surveillance groups, and detection templates.
The Schedule Manager screen comprises of four major parts: • The Configure tab, where you define surveillance schedules, containers, groups, and template properties. For more information, see “Configuring Surveillance Schedules” (page 50),“Configuring to Monitor HP-UX Containers (HP-UX SRP)” (page 53),“Configuring Surveillance Groups” (page 55), and “Configuring Detection Templates” (page 58). • The Timetable tab, where you specify when each surveillance group of a surveillance schedule will run.
• On the System Manager screen, perform one of the following steps: • Choose the Edit > Schedule Manager menu option • Press Ctrl+S. • Double-click anywhere in the Schedules panel or on a schedule name The Schedule Manager screen (Figure 3) is displayed with the Configure tab active.
Creating a New Surveillance Schedule This section describes about how to create a new surveillance schedule. To create a new surveillance schedule, follow the steps: 1. Go to the Schedule Manager screen. 2. Create a name for the new surveillance schedule. a. Press the New button on the Schedules panel. This opens the New Surveillance Schedule dialog box (Figure 4). Figure 4 New Surveillance Schedule Dialog b. c. Enter a name in the input field.
Modifying a Surveillance Schedule To modify a surveillance schedule, follow the steps: 1. On the Schedule Manager screen select a schedule in the schedules panel. 2. If necessary, add Containers (SRP). For more information, see “Configuring to Monitor HP-UX Containers (HP-UX SRP)” (page 53). 3. If necessary, create new surveillance groups. For more information, see “Configuring Surveillance Groups” (page 55) for details. 4. Select the Configure tab. 5.
NOTE: You cannot delete any predefined schedule, distributed with HP-UX HIDS. For more information, see “Predefined Surveillance Schedules and Groups” (page 72). To delete a surveillance schedule, follow the steps: 1. On the Schedule Manager screen select a schedule in the Schedules panel. 2. Click the Delete button in the Schedules panel. This displays the Confirm Deletion dialog box. Click Yes to delete the schedule, and No to retain the schedule.
2. Add a new Container (SRP) configuration name that needs to be monitored using the following steps: a. Click the New button on the SRPs panel. This opens the New SRP dialog box (Figure 7). Figure 7 New Container (SRP) Dialog b. c. Enter a name in the input field. It should be the name of a Container configured on the host, where the schedule has to be activated. Container (SRP) configuration names are case-sensitive.
Modifying a Container (SRP) Configuration To modify a Container (SRP) configuration, follow the steps: 1. On the Schedule Manager screen select the Configure tab. 2. Select the Container (SRP) configuration to be modified in the Container (SRP) Configuration panel. 3. In the Select column of the Surveillance Groups panel, click the check boxes to mark the surveillance groups you want to include in the Container (SRP) configuration.
NOTE: The /etc/opt/ids/schedules/sample/groups directory contains read-only copies of the predefined surveillance groups. Users who want to revert back to the original predefined surveillance groups can manually copy them from /etc/opt/ids/schedules/sample/groups into /etc/opt/schedules/groups. Creating a New Surveillance Group To create a new surveillance group, follow the steps: 1. On the Schedule Manager screen select the Configure tab. 2.
3. Create a name for the new surveillance group. a. Click the Copy button on the Surveillance Groups panel. This opens the Copy Surveillance Group dialog box (Figure 11). Figure 11 Copy Surveillance Group Dialog b. c. Enter a name in the input field. Valid characters are alphanumeric and underscore; the first character must be alphanumeric. Schedule group names are case-sensitive. If you include invalid characters, you will be prompted to replace them with underscores.
Figure 12 Rename Surveillance Group Dialog 4. 5. Edit the name in the input field. Valid characters are alphanumeric and underscore. The first character must be alphanumeric. Group names are case-sensitive. If you include invalid characters, you will be prompted to replace them with underscores. Click OK to change the name and Cancel to leave the name unchanged. Deleting a Surveillance Group This section provides steps to delete a Surveillance Group.
Modifying a Property Value in a Template The values you add, modify, or delete are local to the current group. Other groups can have different values for the same template properties. To change the value of a property in a detection template, follow the steps: 1. On the Schedule Manager screen select the Configure tab. 2. Highlight the template name in the Templates panel. 3.
5. If the value is a list (zero or more values in brackets, for example, [0, 1, 5, 11]), the Edit List dialog box is displayed (Figure 14). Figure 14 Edit List Dialog Perform one of the following substeps to add, modify, or delete a value. a. To add a new value 1. Click the Add button. An Edit dialog box is displayed (Figure 15). Figure 15 Edit Dialog - Add 2. 3. b. Enter a value in the text box. In general, the value cannot be null. Click OK to insert the value and Cancel to quit without adding.
3. 4. c. Edit the value in the text box. In general, the value cannot be null. Click OK to accept the new value and Cancel to leave the value unchanged. To delete a current value 1. Highlight one of the values in the Edit List display. If you highlight more than one, the first one is processed. 2. Click the Delete button. The value is deleted. Lists can be empty. Undoing and Redoing Changes You can roll back and forth for the changes you have made by using the Undo and Redo buttons.
known program. The pathnames_to_not_watch property can be used to ignore directories and files where changes to files are not considered as security risks. • The template “Modification of Another User’s File Template” (page 133) generates many alerts if not tuned correctly. • The templates “Repeated Failed Logins Template” (page 141), “Repeated Failed su Commands Template” (page 143) and “Login/Logout Template” (page 137) have low overhead on the system and can be run in any schedule.
1. Select the Timetable tab of the Schedule Manager screen (Figure 17). Figure 17 Schedule Manager Screen - Timetable Tab 2. 3. 4. 5. 6. Highlight the schedule name in the Schedules panel. The groups that are part of the schedule are displayed in the Selected Groups panel of the Schedule tab. In the Selected Groups panel, highlight one of the groups. The rest of this procedure describes setting the timetable for this group. Repeat the procedure for each group.
7. In the Select Times panel, choose the hour blocks in which the group should run. This is a list, so you can use left-click to pick a hour, Shift-left-click to add in all intervening hours, and Ctrl-left-click to add or remove individual hours. For more information, see “Selecting with the Mouse” (page 88). You can also use: • All to select all 24 hours • None to deselect all 24 hours For example, you could select 01:00 - 04:59, 07:00 - 07:59, and 09:00 - 16:59. 8.
and displayed in the GUI network nodes and logged in the alert log file (defined by the IDS_ALERTFILE configuration variable) of the agent: • File-related aggregated alerts • File-related real-time alerts that could not be aggregated • Non-file-related real-time alerts These alerts are also sent to any response programs in the response directory, as defined by the IDS_RESPONSEDIR configuration variable described in ??? (the default is /opt/ids/response).
3. 4. Select the Alert Aggregation option box to enable alert aggregation. Select the Real Time Alerts option box to enable the generation of real-time alerts when alert aggregation is enabled. NOTE: When the Alert Aggregation option box is not selected, the Real Time Alerts option box is automatically selected to indicate that real-time alerts will be generated. 5.
Under these conditions, HIDS may only have access to the path name used to invoke the program, and the path name used can either be a relative path name or not be fully resolved. It can contain symbolic links. For example, a program with full path name /usr/bin/program can be invoked as program or as ../bin/program, or as /bin/program, where /bin is a symbolic link to /usr/ bin.
1. Select a schedule in the Schedules panel. Figure 19 Schedule Manager Screen-Miscellaneous Tab 2. 3. 4. Select the Global Properties tab on the Schedule Manager screen. Select the Miscellaneous tab under the Global Properties tab. Select the Monitor Failed Attempts to Create/Modify/Delete Critical Files option. NOTE: 5. By default, this option is disabled. Click Save. The selection will be saved.
Figure 20 The Duplicate Alert Suppression Tab Duplicate Alert Suppression Options Following are the duplicate alert suppression options: • Duplicate Alert Suppression Select or deselect the Duplicate Alert Suppression checkbox to enable or disable duplicate alert suppression. By default, this property is enabled. You can also set this property by editing the ids.cf file. Comment out the following entry in the ids.
• Suppression Interval Use this property to suppress duplicate alerts (for any given alert) until the specified time in the Suppression Interval property has elapsed or the number of duplicate alerts is equal or greater than the Suppression Count property value. The default value of this property is 6 hours. This means that HIDS will suppress duplicate alerts for any given alert over a 6 hour period, unless the number of duplicate alerts for that alert exceeds the value of the Suppression Count property.
1. On the Schedule Manager screen (Figure 21), select the Details tab. Figure 21 Schedule Manager Screen - Details Tab 2. In the Schedules panel, select a schedule. The text version of the surveillance schedule is displayed. If times have not been assigned to groups in the schedule, the display will be very short. Refreshing the Details Display To refresh the display, follow the step given below: • Click on the Refresh button.
1. Perform one of the following tasks: • Click the Save button • Choose File > Save • Enter Ctrl+S The Save dialog box (Figure 22) is displayed. Figure 22 Save Dialog 2. Click OK to save, Cancel otherwise. If you click OK, the File Saved dialog box (Figure 23) is displayed. It shows the full path name that the schedule was saved as. The file is stored in /var/opt/ids/bin/gui/logs; /opt/ids/bin/gui/logs is a symbolic link. The file name is the name of the schedule with a .txt extension.
Table 5 Predefined Surveillance Schedules (continued) Surveillance Schedules Surveillance Groups Detection Templates ??? FileLoginLogMonitoringAlwaysOn FileModificationGroup ??? ??? ??? ??? ??? LoginMonitoringGroup ??? ??? ??? LogfileMonitoringGroup Log File Monitoring Template LogfileMonitoringAlwaysOn None None FileLoginMixture FileModificationGroup ??? ??? ??? ??? ??? LoginMonitoringGroup ??? ??? ??? FileModificationsWeekdays FileModificationGroup ??? ??? ??? ??? ??? FileModification
6 Using the Host Manager Screen This chapter describes the tasks you can perform using the Host Manager screen.
Figure 24 Host Manager Screen Closing the Host Manager Screen To close the Host Manager screen, complete the following steps: 1. On the Host Manager screen, choose one of the following options: 2. • Select File > Close. • Press Ctrl+C. If you have modified but not saved the current host list, the Host List Manager Modified dialog box is displayed. Select Yes to save the current list in the current file. The default host list file is /etc/opt/ids/gui/config/sentinal.hosts.
1. On the Host Manager screen, open the Add Host dialog box, shown on Figure 25, by following one of the steps below: • Select Edit > Add Host > Manually. • Click Add. • Right-click and select Add New Host from the menu. • Press Shift+F6.
2. Fill in the Host Name and IP Address fields. There are three ways you can do this, described in order of preference. A host name must start with a letter and contain only letters, digits, periods, underscores, and hyphens. Host names are not case sensitive. For example, xy3-z5 and xy3-z5.a32c.edu. The IP address can be an IPv4 or IPv6 address. An IPv4 address consists of four decimal fields, each in the range 0 to 255, separated by periods. For example 192.0.2.4. IPv6 addresses are in colon notation.
If the host name cannot be determined, the Add Host Error box is displayed with the message, Unknown Host Name - unable to resolve IP Address. Click OK and redo this step, making sure to enter a host name. NOTE: The IP address is the best method for adding a multihomed agent host. For more information, see “Configuring a Multihomed Agent System” (page 26). c. Host Name and IP Address Enter the host name of the agent host in the Host Name field.
1. On the Host Manager screen, perform one of the following steps: • Select Edit > Add Host > Load Hosts List File. • Press Shift+F7. The Open dialog box opens as shown in Figure 28. It defaults to the /var/opt/ids/ gui/logs directory and displays the Host Files. Figure 28 Open Dialog 2. 3. You can change the Files of type: dropdown list to All Files, and use the Look in: dropdown list with the display list to choose the directory where your file resides.
1. On the Host Manager screen, bring up the Edit Host Entry dialog box as shown in Figure 29, and perform one of the following steps: • Double-left-click an entry in the host list. • Select an entry in the host list and select Edit > Edit Host. • Select an entry in the host list and press Ctrl+H. If more than one entry is selected in the host list, the first entry in the list is chosen. Figure 29 Edit Host Entry Dialog 2. 3.
• On the Host Manager screen, click the box in the Monitored column for the entry of the host you want to enable or disable for monitoring. The box displays a check mark if the host is enabled; it is blank if the host is disabled. When an entry is enabled, it is also displayed on the System Manager screen and automatically polled. When it is disabled, it is removed from the System Manager screen.
Figure 31 Add Host Tag Dialog Box 2. 3. Enter a tag name in the input field. The name can contain any printable characters and can be of any length. Spaces are significant. Tag names are case-sensitive. Duplicate tags are discarded when you exit. See Step 3. Click OK to accept the new tag or Cancel to discard it. You return to the Edit Host Tag List dialog box where you can perform more add, edit, and delete operations. Go on to Step 2 or exit and go on to Step 3.
The default host file is /etc/opt/ids/gui/config/sentinal.hosts, which is loaded automatically when the System Manager starts. Saving the Host List in the Current File To save the Host List in the current file, follow these steps: • On the Host Manager screen, perform one of the following steps: • Choose the File > Save menu item. • Press Ctrl+S. The current host list is saved in the current host file.
To load a previously saved host file, follow these steps: 1. On the Host Manager screen, open the Open dialog box as shown in Figure 33, by performing one of the following steps: • Choose the File > Open menu item. • Press Ctrl+O. Figure 33 Open Dialog Box 2. 3. Select a file name in the list. Click Open to open the file, or Cancel to exit without changing host files. The hosts are displayed on the Host Manager screen. The monitored hosts are also displayed on the System Manager screen.
7 Using the Network Node Screen This chapter describes the Network Node screen, which displays alerts and errors for a specified agent host. It addresses the following topics: • “Network Node Screen” (page 85) • “Alerts Tab” (page 86) • “Errors Tab ” (page 87) • “General Operations” (page 88) Network Node Screen The Network Node screen contains lists of alerts and errors that have been detected by the related agent. Click the Alerts or Errors tab to view the lists and details.
• On the Network Node screen, perform one of the following steps: • Choose the File > Close menu item. • Press Ctrl+C. If you made unsaved changes to an open file set, they are saved automatically. Alerts Tab The Alerts tab shown in Figure 34 displays the alerts that were detected by the surveillance schedule on one of the agent host systems. On the Network Node screen, click the Alerts tab.
HP-UX HIDS Alerts Your response to each alert depends on individual circumstances. Develop policies and procedures for handling intrusions. The templates used to generate alerts are described in Appendix A (page 102). For detailed information on the alerts, see Appendix A (page 102). You can create automated alert response programs that are executed automatically when an alert is generated, and pass the information to an analysis system.
General Operations The Alerts and Errors tabs use the same operations to manage their contents, with a few minor differences in labels. Sorting Entries By default, alerts and errors are listed in ascending date/time order. However, you can resort the list by any attribute in either ascending or descending order. Follow one of these steps: • Click the appropriate column header to toggle between ascending and descending order. • Select an item from the Sort menu.
• On Alerts/Errors tab of the Network Node screen, perform one of the following tasks: • Select the Actions > Next Unseen Alert/Error menu item. • Right-click in the list. Select Goto Next Unseen Alert/Error from the menu. • Press Shift+F10. The search begins after the anchor entry. If an unseen entry is found, it is highlighted and other selections are cleared. If only the current entry is unseen or there are no unseen entries, no action is taken.
2. Perform one of the following steps: • Click Delete. • Select the Edit > Delete Selected Alerts/Errors menu item. • Right-click and choose Delete from the menu. • Press Delete. When you delete an entry from the Alerts or Errors tab, it is removed from the memory copy. It is deleted in the log file when you save it to disk. If you do not save, reloading restores the deleted entries.
Alerts and errors are saved at the same time on agent hosts. Alerts go into a file named filesetname_alerts.log. Errors go into a file named filesetname_errors.log. filesetname is the name you assign. NOTE: The Network Node screen title bar indicates how you obtained the data on the screen.
1. 2. 3. To create a new file set named myhost1.backup, enter myhost1.backup in the File Name field. To save the file set you just opened with file set name just opened, click the alert or error file for the set. For example, justopened_error.log. Click Save or press Alt+S to save the alert and error log files. In the examples, in Step 2. 1. The files are named myhost1.backup_alert.log and myhost1.backup_error.log. 2. The files justopened_alert.log and justopened_error.log are overwritten.
3. Click Open or press Alt+O to open the alert and error log files. A new Network Node screen appears with the file set path name in the title bar and the contents of the alert and error logs in the Alerts and Errors tabs. To cancel the open task, click Cancel or press Alt+C. Log File Rotation Log file rotation permits periodic archiving of alerts and errors. Both the alert log file and the error log file are designed to support log file rotation.
8 Using the Preferences Screen This chapter describes operational and display settings that you can set on the Preferences screen. This chapter addresses the following topics: • “General Preferences” (page 94) • “Browser Preferences” (page 95) □ “Alert Events Preferences” (page 95) □ “Error Events Preferences” (page 96) □ “System Manager Preferences” (page 97) The Preferences screen enables you to specify several system operational preferences.
Table 6 General Preferences Tab (continued) Option Default Description System Manager is restarted. This is equivalent to selecting Actions >Status Poll from the System Manager screen. You can disable this feature if HP-UX HIDS agents are currently not installed or operational on agent hosts. If the automatic poll feature is disabled, the System Manager does not attempt to connect to the agent systems, and you can avoid an unnecessary delay or timeout at startup.
Figure 40 Alert Events Subtab In Table 7, the column names marked with asterisks (*) correspond to fields in the alert message. Table 7 Alert Events Subtab Column Name Default Description Seen Yes The entry has been seen. Severity * Yes 1: critical; 2: severe; 3: alert. Attacker * Yes User name or IP address of the attacker. Attack Type * Yes Name of the alert. Date/Time Yes Local date and time. Target Host No Name of host where alert was generated.
The Error Events subtab lists the columns that can be displayed on the Errors tab of the Network Node screen. Check the boxes to display the columns. The column names are shown in Figure 41 and described in Table 8. Click an option box to select or deselect the option. Figure 41 Error Events Subtab Table 8 Error Events Subtab Column Name Default Description Seen Yes The entry has been seen. Date/Time Yes Local date and time. Code No Error code number.
Figure 42 System Manager Subtab Table 9 System Manager Subtab 98 Column Name Default Description Status Yes Status of agent host. Host Yes Name of host being monitored. Schedule Yes Name of activated surveillance schedule; None if none. Tag Yes The tag, if any, associated with the host. Total Alerts Yes Total number of alerts in System Manager log file for host. Unseen Alerts Yes Total number of unseen alerts in System Manager log file for host.
9 Support and other resources New and changed information in this edition HP-UX HIDS 4.7 is available on HP-UX 11i v3 and supports Java 6.0. HP-UX Release Name and Release Identifier Each HP-UX 11i release has an associated release name and release identifier. The uname( 1) command with the -r option returns the release identifier. The following table shows the releases available for HP-UX 11i. Table 10 HP-UX 11i Releases Release Identifier Release Name Supported Processor Architecture B.11.
Related Information Additional information about HIDS can be found within http://www.docs.hp.com in the Internet and Security Solutions collection. The OpenView Operations Smart Plug-In for HP-UX Host IDS Administrators and Users Guide is located at: http://openview.hp.com/products/spi/spi_ids/index.html HP-UX HIDS manpages are provided in /opt/ids/share/man.
10 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
A Templates and Alerts This appendix describes the detection templates that constitute the surveillance groups. It also describes the alerts that are passed to the System Manager and to the response programs by the HIDS agent.
Table 11 Detection Templates (continued) Alert Attack Alert Severity File system modification or The following operations were 3 potential modification either unsuccessfully or successfully performed on a read-only file: Detection Template ??? • Modification of the mode or ownership • Modification of the file content • Creation • Opening the file for writing or appending that may (or may not) be followed by an actual file modification.
Table 11 Detection Templates (continued) Alert Attack Alert Severity Detection Template changed to a privileged user from a non- privileged user, or a world-writable file owned by a privileged user was renamed from a location that is not being monitored to a location that is being monitored.
UNIX Regular Expressions UNIX regular expressions are supported to specify template directory and file properties. Template properties that specify path names (for example, pathnames_to_watch, pathnames_to_not_watch, pathnames_X, programs_X) are interpreted as UNIX regular expressions. For a description of regular expressions and pattern matching notations, see regexp( 5). To match a specific file, use the anchor characters ^ and $ (for example, ^/etc/passwd$).
• File-related templates can generate alerts with file relative path names, instead of file full path names. Specifying relative path names in template properties to filter these alerts is not safe, because a relative path name can correspond to more than one file. • A template that has the pathnames_to_watch property does not monitor changes to a file from a hard link, unless the full path name of the hard link is specified in the property. However, the creation of hard links to files are monitored.
The following line in the template configuration file defines a property called pathnames_to_not_watch, so that the /var/log/cron and /etc/passwd files are not monitored for alerts: pathnames_to_not_watch | ^/var/log/cron$ | ^/etc/passwd$ NOTE: When specifying the template property value in the Schedule Manager window, enter only the template property value ^/var/log/cron$ ^/etc/passwd$. Do not enter the property name and the first pipe character.
pathnames_2 | f2 programs_2 | p1 & p2 & p3 Or to the following set of six lines: pathnames_1 programs_1 pathnames_2 programs_2 pathnames_3 programs_3 • | | | | | | f1 & f2 p1 f1 & f2 p2 f1 & f2 p3 However, it is not equal to the following lines: pathnames_1 programs_1 pathnames_2 programs_2 | | | | f1 p1 & p2 & p3 f2 p1 & p3 This provides granularity for specifying their file- monitoring dependencies.
The following template property specifies that alerts are not generated if the following three user IDs or user names are encountered: users_to_ignore | 21 | 3 | 53 users_to_ignore | root | bin | daemon NOTE: Specifying user and group names are not supported for an agent running on a host where HP-UX Container (HP-UX SRP) is configured, instead specify uid and gid. You can specify user and group names for configuring Global SRP (init Container) .
The following template configuration illustrates a Type V property value: ip_filters | 192.168.2.0, 255.255.255.0, 0 | Where: 192.168.2.0 255.255.255.0 0 network address network mask for a network address no alerts are generated for hosts in the specified network Type VI: Time Strings The time strings property represents time intervals. Each time string has the following syntax: integer[units] The integer component is a positive integer representing a time interval.
Type X: String Patterns The Type X property value is a list of regular expression string patterns that are separated by the pipe (|) character and that can be grouped using the ampersand (&) character. Type X properties are similar to Type I properties. However, Type I properties are regular expressions for specifying pathnames while Type X properties are regular expressions for specifying string patterns in general.
kernel. The template monitors privileged setuid programs where the effective user ID euid is not equal to the real user ID ruid and the euid is one of the user IDs specified in the template’s property list of privileged users; for example, root. Specifically, the template monitors privileged setuid programs for the following: • The privileged setuid program was invoked with an unusually long program argument.
Execute on Stack Table 13 lists the alerts that this template generates and forwards to a response program when an execute-on-stack condition is detected by the HP-UX 11i kernel.
Table 14 Unusual Argument Length Alert Properties (continued) Response Program Argument Alert Field Alert Field Alert Value/Format Type Description was run with an unusual program length argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that executed a privileged setuid program with an unusually long argument length argv[6] Target of Attack String file=, type=, The full path name of t
Table 15 Argument with Nonprintable Character Alert Properties (continued) Response Program Alert Field Argument Alert Field Type Alert Value/Format Description argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that executed a privileged setuid program with an argument that contains a nonprintable character argv[6] Target of attack String file=, type=, mode=, uid=, gid=
setuid and setgid bits on scripts are ignored by the kernel. The vulnerability can also be exploited if the tunable parameter is configured to honor a privileged script’s setuid and setgid bits in favor of compatibility over security. Refer to the secure_sid_scripts (5) for details. How this template addresses the vulnerability The Race Condition template monitors the file accesses that privileged programs make. The template generates an alert if a file reference appears to have unexpectedly changed.
Alerts generated by this template The following alerts are generated by the Race Condition template: • “File Reference Modification” (page 117) • “Privileged setuid Script Executed” (page 118) File Reference Modification Table A-7 lists the alert properties that the File Reference Modification template generates and forwards to a response program when the file reference in a privileged program is modified unexpectedly.
Privileged setuid Script Executed This template generates and forwards alerts to a response program when a privileged setuid script is executed (either directly or through a symbolic link) and the kernel has honored the setuid bit. Table A-8 lists the alert properties the Privileged setuid Script Executed template supports.
Limitations The Race Condition template can be CPU intensive because it monitors all file references on the system. Modification of files/directories Template The vulnerability addressed by this template Many of the files on an HP-UX system must not be modified during normal operation. This includes the system-supplied binaries and libraries, and the kernel. Additionally, software packages are not usually installed or modified during normal system operation.
Table 19 File/Directories Template Properties (continued) Name Type Default Value ^/etc/shells$ | ^/etc/zprofile$ | ^/etc/nsswitch\.conf$ | ^/etc/pam\.conf$ | ^/etc/profile$ | ^/etc/acps\.conf$ | ^/etc/default/security$ | ^/etc/security\.dsc$ | ^/etc/opt/ids/ | ^/opt/ | ^/var/opt/ids/ | ^/opt/ids/ | ^/sbin/init\.
Table 20 File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[5] Attacker String uid=, gid=, pid=, ppid= The user ID, group ID, process ID, and parent process ID of the process that modified the file argv[6] Target of attack String file=, type=, The full path name of the mode=, uid=, gid=, file that was modified and inode=, device= the f
Table 20 File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description • File renamed • File modified • Hard link created • Symbolic link created • Directory created • Special file created • File deleted • Directory deleted • Miscellaneous event Failed Attempts to Modify Files Table 21 (page 123) lists the alert details and event properties this template generates and forwards to a response program when there is an unsuccessful m
Table 21 Failed Attempt to Modify Read-Only File Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device=) when executing (type=, inode=, device=), invoked as follows: ...
Table 21 Failed Attempt to Modify Read-Only File Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description • Failed attempt to create the block special file • Failed attempt to create the pipe (fifo) file • Failed attempt to create the file • Failed attempt to delete the file • Failed attempt to delete the directory NOTE: See Table 41 (page 150) in Appendix B for the definition of additional arguments that can be used to access specific alert in
Table 22 Template Properties (continued) Name Type Default Value ^/var/adm/syslog/sysloġlog$ | ^/var/adm/pacct$ | ^/var/adm/sulog$ pathnames_to_not_watch I pathnames_X II programs_X II Properties A brief description about the configurable properties are listed below: pathnames_to_watch Path names of files to be monitored for modification other than appending.
Table 23 Append-Only File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device) when executing (type=,inode= ,device=), invoked as follows: ...
Table 24 Failed Attempt to Modify Append-Only File Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device) when executing (type=,inode= ,device=), invoked as follows: ...
Limitations The Changes to Log File template has the following limitation: • The template cannot distinguish whether a file is created or truncated when creat(2) is invoked. Creation and Modification of setuid/setgid File Template The vulnerability addressed by this template The concept of setuid and setgid files means that if you have the setuid or setgid bit turned on on a file, anybody executing that executable (file) inherits the permissions of the individual or group that owns the file.
This list contains those groups who have elevated access to the system. Removing any of these groups from this list means that the setuid/setgid template will not detect the creation of a setgid file owned by one of those groups. pathnames_X, programs_X Filter out alerts generated when a specified program creates, modifies, or enables a specified privileged setuid file. See “Type II: Path Names/Programs Pairs” (page 107) for a detailed description of these property pairs.
Table 26 Setuid File Created / Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid Detailed alert description the file >(type=, inode=, device (type=, inode=, device=), invoked as follows: ...
Creation of World-Writable File Template The vulnerability addressed by this template Any user on a system can modify a world-writable file. Many of the files owned by the system users (such as root, bin, sys, adm) are used to control the configuration and operation of the system. Allowing regular users to modify these files exposes the system to attacks. A world-writable directory containing system files enables an attacker to replace these files.
Properties The configurable properties are listed as follows: priv_user_list A list of system-level user IDs or user names. This list contains users that have elevated access to the system. Removing any of these users means that this template does not detect the creation of a world-writable file owned by that users. pathnames_to_not_watch pathnames_X, programs_X Path names of files that can be safely ignored if they are made world writable.
Table 28 World-Writable File Created Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description is set to one of the following: • created the world-writable file • created the world-writable directory • created the world-writable character special file • created the world-writable block special file • created the world-writable pipe (fifo) file • renamed the world-writable file • changed the owner of the world-writable file •
by other system users. Because many daemons run as a specific user, the Modification of Another User’s File template can generate an alert when a compromised daemon causes this type of attack. How this template addresses the vulnerability The template, also known as the Not Owned template, monitors files that are deleted, renamed, modified, or opened for modification by users who do not own the files. A file can be a regular file, a directory, a symbolic link, or a special file.
file being modified matches the corresponding second member of the pair. For example, pairs [0,1], [root, 1], [0, bin], and [root,bin] are all equivalent and any of them can be used to filter all alerts where a process with effective uid 0 (root) modifies files owned by user bin (uid 1). pathnames_X, programs_X These properties can be used to filter out alerts generated when a particular program modifies a specified file owned by another user.
Table 30 Non-Owned File Being Modified Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device (type=, inode=, device=), invoked as follows: ...
Table 31 Failed Attempt to Modify Non-Owned File Alert Properties Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[8] Details String User with uid (type=, inode=, device (type=, inode=, device=), invoked as follows: ...
How this template addresses the vulnerability The Login/Logout template monitors the start and end of interactive user sessions.
ip_filters priv_user_list Contains a list of triplets {ip_address, mask,severity}.Filters login alerts and determines the alert’s severity based on which remote host or network the login was made from. If a login’s remote host IP address matches one of the triplet’s IP addresses qualified by the triplet’s network mask, then the alert severity is set to the corresponding triplet’s severity.
Table 33 Login/Logout Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description name> )orUser logged-out from a session on argv[9] Event String Following are the possible values: • Login The event that triggered the alert.
Table 34 Successful su Detected Alert Properties (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[9] Event String Switch-user (su) The event that triggered the alert.
How this template is configured Table A-25 lists the configurable properties that this template supports. Table 35 Failed Logins Template Properties Name Type Default Value max_failed_login VIII 2 fail_interval VI 10 seconds warning_interval VI 30 seconds priv_user_list III root ids Properties The configurable properties are listed as follows: max_failed_login The number of failed attempts to log in as the same user.
Table 36 Failed Login Attempts Alert Properties (continued) Response Program Alert Field Argument Alert Field Type Alert Value/Format Description detected for a particular target login account argv[5] Attacker String Name or IP address of the host from which the user logged in or out. argv[6] Target String Name of the user who logged in or out.
How this template addresses the vulnerability The template monitors for repeated failed attempts to change user IDs. The template generates an alert when a given number of failed change user ID attempts occurs for a specified target user. How this template is configured Table A-27 lists the configurable properties that this template supports.
Table 38 Repeated Failed Su Attempts Alert Properties (continued) Response Program Argument Alert Field Alert Field Alert Value/Format Type Description argv[8] Details String User had more than Detailed alert description failed su attempts in the past [second | minute | hour | day | week]. Targets were [ .... ] argv[9] Event String Failed switch-user (su) The event that triggered the alert.
template will not monitor a log file unless there is at least one string pattern specified by the watch property. The string patterns specified as values for the watch and ignore properties must be enclosed within double quotes (") even if the pattern contains no white space characters; otherwise, a parsing error will occur.
Table 40 Log File Monitoring Alert Properties (continued) Response Program Argument Alert Field Alert Field Alert Value/Format Type Description argv[4] UTC Time Integer UTC time in number of seconds since the epoch when the log file entry was detected. argv[5] String argv[6] String argv[7] Summary String Message logged argv[8] Details String “” was logged to Contains message logged and name of log file.
B Automated Response for Alerts This appendix describes how to use response programs to process alerts automatically according to your installation policy. It includes a sample C program, several sample response scripts, and information about a prepackaged response program that communicates with HP OpenView VantagePoint Operations.
How Automated Response Works in HP-UX HIDS This section discusses how the response programs handle the agent alerts. Alert Process When the agent generates an alert, the following actions occur: 1. The agent stores the alert in a local log file with a path name defined by the IDS_ALERTFILE configuration variable. The default is /var/opt/ids/alert.log. For more information, see “The Agent Configuration File” (page 182). 2.
3. 4. 5. If you must transmit alert information to another system, set up your own secure communication process. If a response program has its setuid or setgid bit set, it runs as that effective user or group. It is a good practice to restrict setuid and setgid programs to the absolute minimum necessary. For more information, see “Writing Privileged Response Programs” (page 156).
Table 41 Additional Arguments Passed to Response Programs for Kernel Template Alerts (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv[27] Attack Program Owner Integer Owner of the attack program (uid) argv[28] Attack Program Group Integer Group of the attack program (gid) argv[29] Attack Program Inode Integer Inode number of the attack program argv[30] Attack Program Device Integer Device number of the
Table 43 Additional Arguments Passed to Response Programs for File Modification Failed Attempt Alerts Response Program Argument Alert Field Alert Field Type Alert Value/ Format Description argv[36] Error Number Integer Number representing the error. argv[37] System Call Return Value Integer Return value of the system call.
Table 45 Additional Arguments Passed to Response Programs for Race Condition Template Alerts (continued) Response Program Argument Alert Field Alert Data Type Alert Value/Format Description argv[43] Attacked Program Number of Arguments Integer Number of arguments passed to the program under attack (for example, argc) argv[44] Attacked Program Arguments Integer ....
Table 48 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv [10] The number of alerts Integer in the aggregated alert The number of template alerts aggregated as part of the aggregated alert. argv [11] Attacker process id Integer Process ID (pid) of the attacker.
Table 48 Additional Arguments Passed to Response Programs While Generating Aggregated Alerts (continued) Response Program Argument Alert Field Alert Field Type Alert Value/Format Description argv [27] Full hostname of remote host String Full hostname of the remote host from which attacker logged in. Set to localhost if the local host or the empty string is not known.
Perl References Use the following references to help write Perl scripts for HP-UX HIDS: • perlsec( 1) in /opt/perl/man. • http://www.perldoc.com/perl5.6/pod/perlsec.html the web version of the manpage • http://security-archive.merton.ox.ac.uk/bugtraq-200002/0114.html, an e-mail archive thread Writing Privileged Response Programs This section describes how to write privileged and unprivileged C response programs.
Solution A /opt/ids/response/ scriptA.sh /opt/ids/response/misc /opt/ids/response/misc/ privA A non-setuid script with mode 500 and owned by ids:ids A directory with mode 500, owned by ids:ids. A setuid-root program with mode 4550, owned by root:ids Code for scriptA.sh #!/usr/bin/sh ## Sample HP-UX HIDS alert response script ## Stop a process that has performed an intrusive activity.
Solution B /opt/ids/response/privB A setuid-root program with mode 4550, owned by root:ids Code for privB program #include #include #include
/* Turn off root privilege */ if( setresuid(-1, getuid(), geteuid()) == -1) { perror(“setresuid”); exit(1); } } } exit(0); } Solution C /opt/ids/response/privC /opt/ids/response/misc /opt/ids/response/misc/ scriptC.sh A setuid-root program with mode 4550, owned by root:ids A directory with mode 500, owned by ids:ids A non-setuid script with mode 500, owned by ids:ids NOTE: Do not create a privC program that enables the execution of any executable with euid root.
# Exit with no error exit 0 Sample Response Programs The following sections contain examples of C and shell script response programs. Sample C Language Program Source Code This is a sample C language source code for a response program. It is available in /opt/ids/ share/examples/ids_alertResponse.c. Modify the source code below to take appropriate action in response to intrusions. This source code can be compiled with a standard C compiler.
Example 2 Sending Alerts Through e-mail #!/usr/bin/sh # # Sample HP-UX HIDS alert response script # # Send an e-mail to root if a severity 1 alert is received # Replace this comment with the target e-mail address RECIPIENT=”root” # If there is a severity 1 alert then send the details in #e-mail if [ $3 = “1” ] then echo “$8” | /usr/bin/mailx -s “$7” ${RECIPIENT} fi Logging to a Central syslog Server While the HP-UX HIDS System Manager provides a central location for alerts, you can also log alerts to a sys
Example 4 Disabling a User Account #!/usr/bin/sh # # Sample HP-UX HIDS alert response script # # Disable a user’s account if they fail to su to root RECIPIENT=”root” # If there is a failed su attempt then determine the user if [ $1 = “9” ] then # The offending user is in parameter $12 username=${12} echo “Disabling account for ${username}” \| /usr/bin/mailx -s “$7” ${RECIPIENT} # Rather than deleting the account, disable the shell /usr/sbin/usermod -s /usr/bin/false ${username} 1> /dev/null 2>&1 # Determine
Example 5 Disabling Remote Networking #!/usr/bin/sh ## Sample HP-UX HIDS alert response script # Disable networking on the system as an extreme response # to a remotely launched intrusion. RECIPIENT="root" # If there is a file modification alert if [ $1 = "2" ] # then # And if the target of the attack is the password file if # [ ${17} = "/etc/passwd" ]; then echo "Critical intrusion: halting # networking n$8" \ | /usr/bin/mailx -s "$7" ${RECIPIENT} # /sbin/init.
Example 7 Taking a Snapshot of Critical System State # !/usr/bin/sh # # Sample HP-UX HIDS alert response script # # Take a snapshot of important system state information # when the intrusion occurred. # State information is stored in a snapshot file with the # UTC time of the intrusion alert appended to it. RECIPIENT=”root” # Set the umask to a “sane” value umask 077 file=”/var/opt/ids/tmp/snapshot.
Example 8 Restoring Safe Copies of Files #!/usr/bin/sh # Sample HP-UX HIDS alert response script # Restore “good” copies of files to the /etc directory if any # modifications occur RECIPIENT=”root” # Setting the umask to a “sane” value umask 077 # If there is a file modification alert if [ $1 = “2” ] then # And if the target of the attack is a file in /etc match=`echo ${17} | grep “^/etc/..
If you do not have OVO or prefer not to have OVO integrated with HP-UX HIDS, then you can remove these two files from the /opt/ids/response directory.
C Tuning Schedules and Generating Alert Reports This appendix describes how to tune schedules and generate alert reports using the idsadmin command. This appendix addresses the following topics: • “Tuning Schedules Using the idsadmin Command.” • “Generating Alert Reports Using the idsadmin Command.” Tuning Schedules Using the idsadmin Command The tune command enables you to tune schedules and reduce the number of false positives (alerts that are generated because of normal system activity).
updates the schedule and deploys it over the two agents. The administrator can choose to intervene in this process; however, it is not required. Schedule Tuning Process The process by which a schedule is tuned can be broken down into the following steps: • “Step 1: Analyzing Alerts and Tuning Schedules.
The syntax for the tune command when invoked from the idsadmin command line is as follows: idsadmin [-v[vvv]] -t [OPTIONS] The tune command can also be invoked from the interactive command-line interface as follows: idsadmin> tune [-v[vvv]] -t [OPTIONS] Table 50 describes the various tuning options that you can use with the tune command. Table 50 The tune Command Options Option Description -a, --agent-hosts A comma-separated list of host names or IP host1:[srp1,srp2,......],host2:[srp1,srp2,......]...
NOTE: If you have specified the --tune-no-review option with the tune command, this report is not displayed. The tune command automatically modifies and deploys the schedule without prompting for reviews. The Tune Command Report contains the following additional sections: • “Section Related to File Related Alerts.” • “Section Related to Aggregated Alerts.” • “Section Related to System Alerts.
• is the time when the first alert in the meta alert was generated. • is the number of occurrences of the same meta alert. NOTE: No filters are generated for aggregated alerts, and they cannot be filtered using the idsadmin tune command.
Example 9 To tune schedules for two agents without any user interaction % idsadmin –t –a abc.hp.com, xyz.hp.com --tune-no-review This command (invoked from a shell command line) analyzes alerts for the two agents (abc.hp.com, and xyz.hp.com) generated since the timestamp of the last alert to be tuned. The tune command analyzes the alerts, and automatically updates and deploys the updated schedule on these agents. No user interaction is required.
Example 12 Suggested Exact Filters ATTACK PROGRAM| /opt/OV/bin/OpC/opcmon --> (X) | /var/opt/OV/tmp/OpC/monagtp | Filesystem modification or potential modification | 0 | 3 | Wed Oct 11 13:12:46 2006 | 12 | ^/var/opt/OV/tmp/OpC/monagtp$ | ^/opt/OV/bin/OpC/opcmon$ | | 2 In this entry, the tune command displays the filtering rule for alerts that are generated when the opcmon program modifies the /var/opt/OV/tmp/monagtp.
• Generate incremental reports (i.e., report alerts that were generated after the last generated report) • Select alert fields to be displayed in the report • Sort alerts by severity, alert type, or date • Initiate reports from the command line, from an interactive menu, or from a cron job • e-mail the reports to any number of recipients • Generate reports in .html, .txt, and .
Table 51 Reporting Options Supported by idsadmin (continued) Option Description • logout – report alerts triggered by logouts • all – report all alerts regardless of the event that triggered the alert The default value is all. A comma-separated list of alert fields to print in a report, where: --alert-fields • hostname — The hostname of the agent that generated the alert. • ipaddr — The host IP address of the agent that generated the alert. • template — The template that generated the alert.
Table 51 Reporting Options Supported by idsadmin (continued) 176 Option Description --e-mail-message TEXT Used with the --e-mail-to reporting options. Text of an e-mail message containing a report. Text must be enclosed in double quotes if it contains white spaces. This option can be specified only from the command line and not from the interactive menu prompt. --e-mail-subject TEXT Used with the --e-mail-to reporting options. Subject line of an e-mail message containing a report.
Table 51 Reporting Options Supported by idsadmin (continued) Option Description individual report is generated instead. The default value is multihost. --sort-by date | severity | type The sorted order in which alerts are listed in an alert report. The default is date. --start-date YYYYMMDD[HHMMSS] Specifies that only alerts generated on or after the specified date are reported. The date/time is interpreted as local time on the host on which idsadmin is run, not as the local time on agent host(s).
Example 14 To generate a report for all the managed agents starting from a particular date /opt/ids/bin/idsadmin –r --start-date 20070101 This command generates a report for all the managed alerts starting from January 01 2007. This report is saved as an HTML file in /var/opt/ids/reports/HIDS_Report.html. Figure 44 shows a screenshot of the report in HTML format. Figure 44 Screenshot of the Generated Report in .html Format NOTE: 178 While generating alert reports in .
Example 15 To generate a report for an agent showing only the date and time (local), severity, attacker, target, and to e-mail the report in text format to a specified e-mail address /opt/ids/bin/idsadmin –r –a ariel --alert-fields localdate, severity,attacker,target --report-format text -–e-mail-to admin@xyz.
Example 18 To generate a report for all agents listing only alerts related to failed logins, logouts, and failed su attempts. The report is e-mailed to the specified e-mail address with a customized message and subject line. /opt/ids/bin/idsadmin –r --alert-events flogin, logout, fsu --e-mail-to admin@xyz.com --e-mail-message “HIDS Alert Report Generated” --e-mail-subject “Report Dated Mar 23 2007” Example 19 To generate a report for all agents listed in the sentinal.
Example 20 To generate a report for an agent configured to monitor HP-UX Containers (HP-UX SRP). /opt/ids/bin/idsadmin -r --start-date 200110101 --report-type persrp —a :[init,srp01,srp02] This command generates a report for an agent configured to monitor Containers 'init', 'srp01', 'srp02' starting from January 01 2011. This report is saved as a HTML file in /var/opt/ids/ reports/HIDS_Report.html in a persrp format.
D The Agent Configuration File This appendix describes the user-configurable options that can be modified in the HP-UX HIDS agent configuration file, which is located in /etc/opt/ids/ids.cf.
Global Configuration The Global section is bracketed by the [global]...[END] keywords. Only the parameters in Table 52 may be edited. CAUTION: Do not edit any other variables between [global] and its [END] tag. Table 52 Global Configuration Variables Name Default Value IDS_ALERTFILE /var/opt/ids/alert.log IDS_ERRORFILE /var/opt/ids/error.
Table 53 Correlator Configuration Variables Name Default Value CMDLINEARGS ““ AGGREGATION “not set” CMDLINEARGS Used to pass command line options to the idscor process. To measure the average system call event rate on a host for the system calls monitored by HIDS, while running a particular set of detection templates, set the value to -t where is the number of events over which the rate is calculated. For example, -t 100000 calculates the event rate for every 100,000 events.
The first entry, for the system log DSP which monitors various system log files, has no modifiable parameters. The second entry is for the kernel audit data DSP. CAUTION: Do not edit any variables in the system log DSP section (between [DSP] NAME idskernDSP and its [END] tag). Kernel Audit Data DSP In the section beginning with [DSP] NAME idskernDSP only the parameters in Table 54 may be edited. CAUTION: tag.
Gather status information on numbers of audit records read or written but still block the kernel. Do not drop audit records in the kernel but a read of /dev/idds will return immediately if no data is available. IDDS_MODE 4 Gather status information on numbers of audit records read or written but still block the kernel. IDDS_MODE 7 Gather status information, but do not block the processes. Instead, audit records will be dropped if there is no space to read them into.
IDS_SSL_TIMEOUT REMOTEHOST The timeout value in seconds for the agent to complete a Secure Sockets Layer handshake with the administration system. The IP address or host name associated with the administration system's network interface card. This entry is set to the host name passed to the IDS_importAgentKeys script when the script is run. See “Configuring a Multihomed Administration System” (page 28) and “Setting Up HP-UX HIDS Secure Communications” (page 21).
E The Surveillance Schedule Text File This appendix describes the surveillance schedule in text format to enable administrators to edit surveillance schedules using their preferred editor, instead of using the GUI Schedule Manager, for those administrators who want to automate the activation of surveillance schedules (using scripts) instead of using the GUI System Manager.
Surveillance Schedule Text File The surveillance schedule text file has two main sections: • Surveillance Schedule Section: A section that defines global properties of a schedule that are not specific to any Surveillance Group or Template. There can only be one Surveillance Schedule section in a surveillance schedule text file. • Surveillance Group Section: A subsection of the Surveillance Schedule section that defines properties for a Surveillance Group.
equivalent to a row in the Schedule Manager Alert Aggregation table described in “Configuring Alert Aggregation” (page 64). • suppression: The suppression property is a duplicate alert suppression property that is used to enable or disable duplicate alert suppression. The property value is specified using the syntax described in ??? and is equivalent to the Schedule Manager Duplicate Suppression option described in ???.
selected in the GUI Schedule Manager. The property set to "0" is equivalent to the Monitor Failed Attempts To Create / Modify / Delete Critical Files option box that is not selected. By default, the property value is set to “0”. • log_severity_def: This property defines the default severity level for alerts that are generated by the Log File Monitoring Template. For more information, see “Log File Monitoring Template” (page 145).
of a group must consist of an alphanumeric character followed by one or more alphanumeric characters, an underscore (_) or a hyphen (-). • If the GMT keyword value is set to 0, then the time specified by the STARTTIME and ENDTIME entries are interpreted as local time. If the GMT keyword value is set to 1, then the time specified by the STARTTIME and ENDTIME entries are interpreted as GMT time and is converted to local time when scheduling the surveillance group.
Example 21 A Sample Surveillance Schedule Text File Following sample surveillance schedule text file illustrates the usage of different keywords in a schedule : SCHEDULE TestSched GLOBALS aggregation | 1 rt_alerts | 0 aggr_tuples | ^/usr/lbin/swagent$ , 28800 suppression | 1 suppression_report | 1 suppression_interval | 6h suppression_count | 100 suppression_targets_to_ignore | ^/etc/passwd$ | ^/etc/group$ | ^/stand/vmunix$ | ^/stand/system$ | ^/\.rhosts$ | ^/etc/inetd\.
Example 22 A Sample Surveillance Schedule Text File Following sample surveillance schedule text file illustrates the usage of different keywords in a schedule for an HP-UX Container (HP-UX SRP) configuration for Global Container (init) and a system Container (srp1): SCHEDULE TestSched GLOBALS aggregation | 1 rt_alerts | 0 aggr_tuples | ^/usr/lbin/swagent$ , 28800 suppression | 1 suppression_report | 1 suppression_interval | 6h suppression_count | 100 suppression_targets_to_ignore | ^/etc/passwd$ | ^/etc/gro
F Error Messages This appendix describes errors and messages that may be produced by the Agent and System Manager programs. This appendix addresses the following topics: • “Agent Messages” (page 195) • “System Manager Messages” (page 199) Agent Messages This section describes error messages that are displayed on agent systems. NOTE: These messages are produced by agent processes. If you see a message that is not described and you cannot resolve the problem, contact HP support.
Table 56 Agent Error Messages (continued) Error Message Meaning Action limit on file descriptors may have been reached. idsagent: failed to start group The idsagent encountered an error while Contact HP support. attempting to activate a surveillance group. The surveillance group may contain detection templates that are not supported on this version of the idsagent. idsagent: failed to stop group The idsagent encountered an error while Contact HP support. attempting to deactivate a surveillance group.
Table 56 Agent Error Messages (continued) Error Message Meaning Action the file; and that its parent directory has read and write permissions. idsagent: DSP type dsp required by template template not found Template template requires a data source Ensure that you have installed the dsp that is not supported by this version of latest version of HP-UX HIDS. HP-UX HIDS.
Table 56 Agent Error Messages (continued) Error Message Meaning Action idsagent: new configuration failed The idsagent received a SIGHUP but encountered an error while rereading the /etc/opt/ids/ids.cf configuration file. Verify that the configuration file is owned by user:group ids:ids, that it is readable by user ids, and that it has not been corrupted. idsagent: No support for template named template A surveillance schedule contains a Contact HP support.
Table 56 Agent Error Messages (continued) Error Message Meaning Action Internal error An internal error occurred. Contact HP support. Internal error: unknown state An internal error occurred. Contact HP support. unable to open the response script directory dir idsagent was unable to open or read Ensure that the directory exists, that the /opt/ids/response directory which it is owned by user:group ids:ids, and that it is readable and contains the alert response scripts. executable by user ids.
Table 57 System Manager Error Messages (continued) Error Message Meaning Action In order to resync with an Ids Agent, the selected hosts must have a status of Ready, Scheduled, or Running. You attempted to resync an IDS agent in an invalid state. Before resynchronizing an HP-UX HIDS agent, make sure that the agent is in the state of ready, scheduled, or running. In order to stop a Surveillance Schedule, hosts must have a status of Running or Scheduled.
Table 57 System Manager Error Messages (continued) Error Message Meaning Action Select Surveillance Group Name to delete - Selection Error. You tried to delete surveillance group without selecting one. Select a surveillance group to delete before attempting the delete function. Select Surveillance Group Name to be modified - Selection Error. You tried to modify a surveillance group Before modifying a surveillance without selecting a surveillance schedule. group, select a surveillance group name.
Table 57 System Manager Error Messages (continued) Error Message Meaning If the INTERFACE variable in /opt/ids/ bin/idsgui is set to an IP address, then the IP address does not map to the local host name according to the name service and the System Manager assumes that an invalid IP address was specified. Action NOTE: By setting the value of the INTERFACE variable to 0.0.0.0 (or "::" for IPv6), the System Manager will listen on a port (see Configuring Ports (page 31)) on all available interfaces.
G Troubleshooting This appendix describes various steps you can take in resolving problems on the agent and administrative systems.
• “Using HP-UX HIDS with IPFilter and SecureShell” (page 213) • ??? Troubleshooting This section describes a variety of potential problems and their solutions. To stay current with product updates and patches, be sure to monitor the HP security software news and events web site at www.hp.com/security. Agent and System Manager cannot communicate with each other (No errors are being generated by the HP-UX HIDS processes and everything seems to be running fine otherwise.
Agent complains that idds has not been enabled, yet lsdev shows /dev/idds is present □ If your lsdev result shows /dev/idds is present, and yet the idsagent debug-enabled log file (run with /opt/ids/bin/idsagent -d -l log_file_name) complains about idds not being enabled, it is probable that there is an installation or kernel-build error.
Agent halts abnormally, leaving ids_* files and message queues □ If a running agent was not halted as described in “Halting HP-UX HIDS Agents” (page 45) (for example, the agent was stopped with kill -9), then you need to clean up the message queues, which the agent uses for interprocess communication (IPC). This is important because the kernel has a limited number of message queues that IDS and other applications need in order to run.
Agent does not start after installation □ Verify that there are no errors from the install: /var/adm/sw/swagent.log □ Be sure the product has been run as user ids. (No other user will work.) □ Verify that all keys have been generated as described in “Setting Up HP-UX HIDS Secure Communications” (page 21). □ Run /opt/ids/bin/IDS_checkInstall to verify that all required patches have been installed properly prior to installing IDS. IDS_checkInstall should be run on an OS where IDS is installed.
Alert date/time sort seems inconsistent □ Two factors come into play in this seeming inconsistency: First, the agent’s date/time stamp is based on the local host time when the alert was received. Second, the time the System Manager uses to sort the alert is based on the UTC when the alert actually occurred. Under normal circumstances, these two times are identical. On occasion, however, there may be a difference depending on internal processing time, which may make the alert list inconsistent.
Getting several aggregated alerts for the same process Problem: Alerts generated by a process running a program specified in an alert aggregation tuple are being aggregated into several aggregated alerts. Cause: The maximum alert delay specified in the alert aggregation tuple for the program being run by this process is too small. Action: Increase the maximum alert delay in the alert aggregation tuple to aggregate over a longer period of time.
comm_write_msg: Error writing message, errno==607: Error during SSL handshake Use IDS_checkAgentCert to get the validity duration of the agent certificate, and compare it with the system time of the agent host. If the certificate is not yet valid on the agent host, either adjust the system time of the agent host, or wait until the certificate becomes valid.
Log files are filling up □ The log files on both the agent and the administration systems can grow without bounds. It’s a good idea to practise log file rotation. See “Log File Rotation” (page 182). No Agent Available □ The Status field for an agent on the System Manager screen shows No Agent Available. See also “Agent and System Manager cannot communicate with each other” (page 204). 1.
Schedule Manager timetable screen appears to hang □ The visual refresh of the day, time, and surveillance group matrix (which the System Manager maintains in the Schedule Manager timetable screen) is CPU intensive and hence may appear to be slow on some systems. SSH does not perform a clean exit after idsagent is started After starting idsagent from a ssh login, logging out of the agent system results in the ssh session hanging indefinitely.
System Manager starts with no borders or title bar in X client programs on Windows □ This sometimes happens when Reflection X (or other X client programs on Microsoft Windows) has been running for a while. Quit, restart the program, relogin to your HP-UX HIDS administration system, and restart the System Manager. If the problem persists, contact HP support.
pass in quick proto tcp from any to any port = hpidsagent keep state 2. HP-UX HIDS System Manager listens on port hpidsadmin (2984) for incoming connections initiated by HP-UX HIDS agents. If the host running IPFilter is also running an HP-UX HIDS System Manager, then allow incoming connections initiated by HP-UX HIDS agents. pass in quick proto tcp from any to any port = hpidsadmin keep state 3. HP-UX HIDS System Manager uses ephemeral ports to send requests to agent host’s port hpidsagent.
X11 connection rejected because of wrong authentication at Tue Dec 31 15:11:30 2002. Rejected connection at Tue Dec 31 15:11:30 2002: X11 connection from ::ffff:15.27.232.106 port 56861 xsvr3: Channel 0 closes incoming data stream. xsvr3: Channel 0 closes outgoing data stream. xsvr3: Channel 0 sends oclosed. xsvr3: Channel 0 sends ieof. xsvr3: Channel 0 receives input eof. xsvr3: X problem fix: close the other direction. xsvr3: Channel 0 receives output closed. xsvr3: Channel 0 terminates.
H HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS * OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE.
* "This product includes software written by Tim * Hudson (tjh@cryptsoft.com)" * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS * '' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED.
Export Requirements You may not export or re-export the Software or any copy or adaptation in violation of any applicable laws or regulations. U.S. Government Restricted Rights The Software and any accompanying documentation have been developed entirely at private expense. They are delivered and licensed as "commercial computer software" as defined in DFARS 252.227-7013 (Oct 1988), DFARS 252.211-7015 (May 1991) or DFARS 252.227-7014 (Jun 1995), as a "commercial item" as defined in FAR 2.