HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
Log files are filling up
□ The log files on both the agent and the administration systems can grow without bounds. It’s
a good idea to practise log file rotation. See “Log File Rotation” (page 182).
No Agent Available
□ The Status field for an agent on the System Manager screen shows No Agent Available.
See also “Agent and System Manager cannot communicate with each other” (page 204).
1. Is the agent running? On the agent host, run
ps -ef grep idsagent
If there is no entry for idsagent, start the agent on the agent system, as in “Starting
HP-UX HIDS Agents” (page 41).
Then, on the System Manager screen, click the Status button.
2. Is the IP address for the agent correct in the Host Manager screen? Test with nslookup.
3. Is the Domain Name Service (DNS) set up correctly? Test with nslookup.
4. Can the administration system communicate with the agent system? Test with ping.
5. Is the agent communicating correctly with the administration system? Check the entry for
REMOTEHOST in the /etc/opt/ids/ids.cf agent configuration file. It must be set to
the host name or IP address of the administration system. If the INTERFACE variable is
set to an IP address (other than 0.0.0.0 or ::) in /opt/ids/bin/idsgui on the
administration system, REMOTEHOST must be set to the same value. See “Configuring a
Multihomed Administration System” (page 28) and “Setting Up HP-UX HIDS Secure
Communications” (page 21).
6. Have the secure communications certificates expired?
◦ On the administration system, run the script
/opt/ids/bin/IDS_checkAdminCert. If the certificate has expired, rerun
/opt/ids/bin/IDS_genAdminKeys with the update parameter. See “Setting
Up HP-UX HIDS Secure Communications” (page 21).
◦ On the agent system, run the script /opt/ids/bin/IDS_checkAgentCert. If
the certificate has expired, rerun /opt/ids/bin/IDS_genAgentCerts for the
agent on the administration system. Then reimport the certificates on the agent system
with /opt/ids/bin/IDS_importAgentKeys. See “Setting Up HP-UX HIDS
Secure Communications” (page 21) .
Normal operation of an application generates heavy volume of alerts
□ To avoid becoming overwhelmed with unnecessary alert generation, you will need to customize
the detection templates to meet the needs of your particular environment. If you have an
application that generates a heavy volume of alerts during its normal mode of operation, you
can reduce this occurrence by entering additional filtering into the necessary detection templates
(most offer mechanisms by which these spurious alerts can be suppressed).
□ For example, a system with the Resource Management subsystem might trigger a heavy volume
of alerts since it frequently updates some files in /etc/opt/resmon. You can go to the
Schedule Manager and modify the “Modification of files/directories” template to have it ignore
the /etc/opt/resmon directory. (This filtering is provided by default in HP-UX HIDS version
2.2.)
□ See “Suggested Best Practices” (page 61).
Reflection X rlogin produces multiple login and logout alerts
When logging in using rlogin within Reflection X, the login/logout template will report two login
alerts followed immediately by a logout alert. This is expected behaviour and reflects how Reflection
X immediately terminates a login session after bringing up a remote window.
Troubleshooting 211