HP-UX Host Intrusion Detection System Version 4.7 Release Notes HP-UX 11i v3 (766145-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

HP-UX Host Intrusion Detection System

Version 4.7 Release Notes

HP-UX 11i v3

HP Part Number: 766145-001

Published: March 2014

Edition: 2

Summary of content (27 pages)

PAGE 1
HP-UX Host Intrusion Detection System Version 4.
PAGE 2
Copyright 2011, 2013,2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Contents HP secure development lifecycle......................................................................5 1 Announcement...........................................................................................6 What is HP-UX HIDS.................................................................................................................6 Compatibility with previous versions............................................................................................
PAGE 4
Making Depots......................................................................................................................15 Create the Depot Directory..................................................................................................16 Get the HP-UX HIDS Product................................................................................................16 From the HP-UX 11i v3 System Versions............................................................................
PAGE 5
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
PAGE 6
1 Announcement The HP-UX Host Intrusion Detection System Version 4.7 supports Java 6.0. What is HP-UX HIDS HP-UX HIDS is a host-based HP-UX security product for HP computers running HP-UX 11i. HP-UX HIDS enables security administrators to proactively monitor, detect, and respond to attacks targeted at specific hosts. Many types of attacks can bypass network-based detection systems.
PAGE 7
Table 1 HP-UX HIDS Product Compatibility (continued) Product Support OpenView Yes ServiceGuard Not tested Third-party Event Monitoring Service (EMS) Not tested Trusted Mode operation Yes Virtual Vault No Localization The HP-UX HIDS software and documentation are not localized in non-English languages.
PAGE 8
Documentation HP-UX HIDS documentation includes manuals, manpages, information on HP OpenView SMART Plug-In, and HP Support Center. Manuals The following documents are available at the HP technical documentation Website in the Internet Security Solutions collection, http://docs.hp.com/en/internet and on the Instant Information CD in the Internet and Security Solutions collection. HP Part No. Title 766144-001 HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide.
PAGE 9
- Customers using a prior major version (or any of its minor versions) will be supported on a best-effort basis. They will be asked to adopt the latest version, especially if the problem they are experiencing has been corrected in the latest version. Specifically, this means that v4.7 is now the actively supported version on HP-UX 11i v3 and all previous versions are supported on a best-effort basis. NOTE: Support for version 2.x of HP-UX HIDS was discontinued on March 31, 2007.
PAGE 10
Example 1 Invalid Modification - Scenario 1 In this example, the GUI Schedule Manager allows the administrator to enter an unequal number of pathnames_X and programs_X pathname groups: pathnames_1 | file1 & file 2 | file3 | file4 programs_1 | prog1 | prog2 However, the administrator will not be able to activate the schedule as there is no corresponding program for file4.
PAGE 11
longer has a connection to that agent. A status command will reestablish a connection to that agent. The idsadmin Tool Cannot Monitor more than one Agent at a Time The idsadmin tool does not monitor or display alerts in near real-time from multiple agents at the same time. The idsadmin tool can only monitor and display alerts from one agent at any given time.
PAGE 12
Then, run the /sbin/init.d/idsagent start commands interactively. Agents and Kernel Parameters The administration System Manager can monitor up to 23 agent systems unless you make kernel parameter changes, as described in Chapter 2, “Configuring HP-UX HIDS,” in the Host Intrusion Detection System Administrator Guide. Dropped Kernel Audit Records Depending on the system profile and product configuration, and under heavy loads, HIDS can drop kernel audit records and therefore miss potential intrusions.
PAGE 13
2 Installation This chapter provides information about HIDS installation. IMPORTANT: Read this entire chapter before installing or updating to HIDS v4.7. Introduction HP-UX HIDS v4.7 bundle can be downloaded from the HP Software Depot Website. The following product versions are supported: • HPUX-HIDS F.04.07 for HP-UX 11i v3 The HIDS software product bundle, HPUX-HIDS, contains the IDS and IDS-KRN products.
PAGE 14
1. 2. 3. 4. 5. 6. 7. Ensure that your administration and agent systems meet the requirements as described in “Hardware and Software Requirements” (page 14). If you want to migrate your existing schedules to HIDS 4.2, complete the steps listed in “Migrating Schedules from Older Versions of HIDS” (page 15). Perform the preinstallation tasks described in “Preinstallation” (page 15). Create software depots for the administration system and the agent systems, as described in “Making Depots” (page 15).
PAGE 15
Migrating Schedules from Older Versions of HIDS Surveillance schedules created using HIDS v3.1 and v4.0 must be migrated before they can be run by HIDS v4.7 agents. Schedules created using HIDS v4.1 do not need to be migrated unless the features introduced in v4.2 and supported in v4.7 are needed. Schedules created using HIDS v4.2, 4.3, and v4.4 do not need to be migrated. NOTE: If you are migrating schedules created using HIDS v3.1, you must first upgrade to HIDS v4.0 and convert them to HIDS v4.
PAGE 16
Table 4 Software Depots (continued) Depot Contents For an HP-UX 11i system supporting the HIDS administration and • JRE 6.0 agent software • IDS.IDS-ADM-RUN and IDS.IDS-ADM-SHLIB subproduct • IDS.IDS-AGT-RUN subproduct • IDS.IDS-ENG-A-MAN subproduct • IDS-KRN subproduct • OpenSSL product 11i Admin Depot • Required Java patches /var/depot/ids_11i_admin • JRE 6.0 For an HP-UX 11i system supporting the HIDS administration software • IDS.IDS-ADM-RUN and IDS.IDS-ADM-SHLIB subproduct • IDS.
PAGE 17
4. Copy the HP-UX HIDS product to your administration and agent depots, as appropriate. a. • 11i Agent Depot Copy the 11i IDS-KRN product and IDS agent subproducts into the ids_11i_agent depot: # swcopy -x enforce_dependencies=false -s /var/tmp/idsprod/HPUX-HIDS_11i.depot IDS-KRN IDS.IDS -AGT-RUN IDS.IDS-ENG-A-MAN @ /var/depot/ids_11i_agent b.
PAGE 18
3. Open the HP Java Website: http://www.hp.com/go/java, 4. 5. 6. 7. Click the patches link. Take note of the patches that you need, based on your administration system. Open the HP Support Website: http://www.hp.com/go/hpsc Click on individual patches. You must be registered before you can download patches. 8. Using the instructions on the Website, download the 11i Java patches into /var/tmp/ javapatch. Some patches might have dependency patches (patches that must be installed first).
PAGE 19
7. Transfer the software to the administration depot using one of the following steps: a. • 11i Admin Depot If your administration system will not be running an agent, copy the 11i Java software into the ids_11i_admin depot: # swcopy -x enforce_dependencies=false -s /var/tmp/jre6_16006_ia.depot * @ /var/depot/ids_11i_admin b.
PAGE 20
NOTE: In the following procedure, swinstall does not reinstall any patches or applications that are already installed. You can ignore messages to that regard. The software you need will be installed properly. Do not reinstall any patches without consulting HP Support first. The swinstall option -x autoreboot=true in the following procedure ensures that any software that requires a system reboot will be installed. If none of the installed software requires a reboot, the system will not be rebooted.
PAGE 21
Table 5 Reboot Matrix (continued) Update from: Update to Version 4.7 Version 4.1 No Reboot Version 4.0 No reboot Version 3.1 No Reboot Postinstallation • The HP-UX startup in progress list should display OK for the Starting HIDS agent entry. • When an agent system reboots after a cold installation, the HP-UX startup in progress list should display N/A for the Starting HIDS agent entry.
PAGE 22
• Working with firewalls If you have firewalls between the administration system and agents systems, you must configure the firewall systems. • Working with NIS If you use NIS, you must configure the NIS master system.
PAGE 23
3 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
PAGE 24
A HP Software License Attention USE OF THE HP-UX HOST INTRUSION DETECTION SYSTEM AND ASSOCIATED DOCUMENTATION (COLLECTIVELY, THE "SOFTWARE") IS SUBJECT TO THE HP SOFTWARE LICENSE TERMS SET FORTH BELOW. USING THE SOFTWARE INDICATES YOUR ACCEPTANCE OF THESE LICENSE TERMS. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND. IF THE SOFTWARE IS BUNDLED WITH ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE UNUSED PRODUCT FOR A FULL REFUND.
PAGE 25
* 5. Products derived from this software may not be called * "OpenSSL" nor may "OpenSSL" appear in their names without * prior written permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the * following acknowledgment: * "This product includes software developed by the OpenSSL * Project for use in the OpenSSL Toolkit * (http://www.openssl.
PAGE 26
* 2. Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the * following disclaimer in the documentation and/or other * materials provided with the distribution. * 3. All advertising materials mentioning features or use of * this software must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.
PAGE 27
detailed information regarding any intended disassembly or decompilation. You may not decrypt the Software unless necessary for the legitimate use of the Software. Transfer. You many transfer your rights under this Agreement to another party on a permanent basis. Your license will automatically terminate upon any transfer of the Software. Upon transfer, you must deliver the Software, including any copies and related documentation, to the transferee.