HP
Host Intrusion Detection System (HIDS)
manual
Network Node Screen
Troubleshooting
Install
Errors Tab
Login
Warranty
Accessing Manpages
Set up hosts and run schedules
Idsagent Command
What is
Solution a
Page 111
7
Network Node Screen
Chapter 7
99
Page 110
Page 112
Image 111
Page 110
Page 112
Contents
HP-UX Host Intrusion Detection System Administrator’s Guide
Edition
Manufacturing Part Number J5083-90013 December
Government License
Warranty
Iii
Trademarks
Conventions
Contents
Schedule Manager Screen
System Manager Screen
Host Manager Screen
Network Node Screen
Vii
Preferences Screen
Templates and Alerts
Viii
Agent Configuration File
Idsagent Command
Idsadmin Command
Automated Response
Troubleshooting
Messages
HP Software License
Original SSLeay License HP Software License Terms
Xii
Overview
Documentation
Summary
Loss of Computing Resources
Why Do You Need Intrusion Detection?
Loss of Financial Assets
Loss of Intellectual Property
Malicious Code
Who Are the Perpetrators?
How Are These Threats Realized?
Misplaced Trust
Firewalls
Why Existing Tools Are Only Part of the Solution
Excessive Privilege for Simple Tasks
Being Used as a Springboard to Attack the Next Victim
Security Auditing Tools
Encryption
What Is Intrusion Detection?
Where Does Intrusion Detection Fit In?
What HP-UX Hids Does
What HP-UX Hids Does Not Do
Graphic Representation
HP-UX Hids Components
HP-UX Hids Components
How the Components Interact to Detect Intrusions
Surveillance Schedules
HP-UX Hids Secure Communications
Detection Templates
Surveillance Groups
Glossary of HP-UX Hids Terms
Node
Intrusion Detection Data
Intrusion Detection System
Kernel
System Manager
Virus
Vulnerability
Glossary of HP-UX Hids Terms Chapter
Configuration
Configuration
Introduction
Required
Optional
Create the X.509 Certificates
Setting Up the HP-UX Hids Secure Communications
Overview of Procedures to Set Up Secure Communications
Script to Use Where Used End Product
$ IDSgenAdminKeys install
$ IDSgenAgentCerts
Transport the Certificates
TIP
$ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadmin
Install the Keys on Each Host
Step
Configuring a Multihomed Agent System
$ nslookup large2
Example
To configure a multihomed administration system
Configuring a Multihomed Administration System
Edit the agent configuration file for example
To configure a loopback system
Configuring a Loopback System
Configuring Ports
Working with NIS
Working with Firewalls
Select Kernel Configuration Select Configurable Parameters
Enabling Large Numbers of Agents
Enabling Over 23 Agents Thread Limits
To change the value of maxthreadproc
To view and change the value of tcpconnrequestmax
Enabling Over 20 Inbound Requests
Files Permissions
Accessing Manpages
Restricting Permissions
Runtime File Permissions
Accessing Manpages Chapter
Getting Started
Getting Started
System Manager
Agents
Starting HP-UX Hids for the First Time
Set up hosts and run schedules
See , Host Manager Screen, on
Network Node
Operations Screens
Schedule Manager
Host Manager
Sorting Entries
Basic Screen Actions
Selecting Entries in Lists
Searching Entries
Basic Screen Actions Chapter
System Manager Screen
System Manager Screen
System Manager Screen
To stop the HP-UX Hids System Manager
Starting the HP-UX Hids System Manager
Stopping the HP-UX Hids System Manager
To start the HP-UX Hids System Manager
On the System Manager Screen
Status Field Values
Status Value Description
Getting the Status of Agent Hosts
To get the status of agent hosts
On the System Manager screen
To resynchronize agent hosts
Resynchronizing Agent Hosts
Activating a Schedule on Agent Hosts
To activate a surveillance schedule on agent hosts
Choose the Actions Activate Schedule menu item
To stop a surveillance schedule on agent hosts
Stopping Schedules on Agent Hosts
To start the agent
Starting HP-UX Hids Agents
Halting HP-UX Hids Agents
To halt agents remotely from the System Manager
To halt the agent locally on the agent host
To go to the Schedule Manager screen
Accessing Other Screens
Go to Schedule Manager Screen
Go to Host Manager Screen
Go to Network Node Screen
Go to Preferences Screen
Return to System Manager Screen
Accessing Other Screens Chapter
Schedule Manager Screen
Schedule Manager Screen
Schedule Manager
To create a surveillance schedule
Creating a Surveillance Schedule
To close the Schedule Manager screen
Displaying the Schedule Manager Screen
Closing the Schedule Manager Screen
To display the Schedule Manager screen
To create a new surveillance schedule
Configuring Surveillance Schedules
Creating a New Surveillance Schedule
Copying a Surveillance Schedule
To modify a surveillance schedule
Modifying a Surveillance Schedule
Renaming a Surveillance Schedule
To rename a surveillance schedule
Choose File Save Selected Schedule As
Deleting a Surveillance Schedule
Undoing and Redoing Changes
To delete a surveillance schedule
Saving a Surveillance Schedule
To save a surveillance schedule
Choose File Save Selected Schedule
To create a new surveillance group
Configuring Surveillance Groups
Creating a New Surveillance Group
Copying a Surveillance Group
To modify a surveillance group
Modifying a Surveillance Group
Renaming a Surveillance Group
Rename Surveillance Group Dialog
To rename a surveillance group
Deleting a Surveillance Group
Saving a Surveillance Group
To delete a surveillance group
Configuring Detection Templates
Modifying a Property Value In a Template
To change the value of a property in a detection template
To add a new value
Edit List Dialog
11Edit Dialog Edit
Suggested Best Practices
Some Template Configuration Guidelines
Setting Surveillance Schedule Timetables
To specify when a schedule will run
Specifying When a Schedule Will Run
Canceling Changes
See Saving a Surveillance Schedule on
To view the source of a surveillance schedule
Viewing Surveillance Schedule Details
Viewing the Source of a Surveillance Schedule
Refreshing the Details Display
To clear the display
Clearing the Details Display
Saving the Details Display
Save Dialog
Predefined Surveillance Schedules
Predefined Surveillance Schedules and Groups
Predefined Surveillance Schedules
Host Manager Screen
Host Manager Screen
Displaying the Host Manager Screen
Managing Hosts
Closing the Host Manager Screen
To add a new host manually
Adding New Hosts
Adding a New Host Manually
Add Host Dialog
Host Name
Address field
IP Address
To add new hosts from /etc/hosts
Adding New Hosts from /etc/hosts
Name field
Host Name and IP Address
To add new hosts from a file
Adding New Hosts from a File
Rules for Host Lists Files
Open Dialog
To modify a host entry
Modifying a Host
To delete a host entry
Deleting Hosts
Enabling and Disabling Hosts
To enable or disable an agent host for monitoring
Add, modify or delete tags To add a tag
Managing Tags
To delete a tag
To edit a tag
Maintaining Host Files
Saving the Host List in the Current File
Saving the Host List in a Different File
Using Multiple Host Files
Using an Alternate Host List File
Maintaining Host Files Chapter
Network Node Screen
100
To display the Network Node screen for an agent host
Network Node Screen
Opening a Network Node Screen
Closing a Network Node Screen
102
Alerts Tab
HP-UX Hids Alerts What They Mean, What to Do
Errors Tab
HP-UX Hids Errors What They Mean, What to Do
104
Simple Version
General Operations
Selecting Entries
Selecting with the Mouse
Searching for the Next Unseen Entry
Searching for a String
Find Dialog
To search again
To delete one or more alerts or errors
Deleting an Entry
Marking Entries as Seen or Unseen
108
Unseen
Saving a New Log File Set
Saving a Log File Set
Network Node screen from the System Manager screen
Saving the Current Log File Set
Example Saving the File Set over Another File Set
Save Dialog Box
Press Ctrl-A
Example Creating a New File Set
Opening a Log File Set
Log File Rotation
Open Dialog Box
112
Preferences Screen
114
Preferences Screen
116
Option Default Description
General Preferences
To choosing Actions Status Poll from the System Manager
Actions Resync from the System Manager screen
118
Column Name Default Description
Browser Preferences
Alert Events Preferences
Column Default Description Name
Error Events Preferences
120
System Manager Subtab
Templates and Alerts
Templates
Alerts
Limitations
Property Types
Alert Summary
Table A-1 Detection Templates
Attack Detected Alert Alert Severity Detection Template
124
Appendix a 125
Unix Regular Expressions
Examples
126
Appendix a 127
128
Limitations
Type I Pathnames to Not Monitor
Template Property Types
130
Type II Pathnames/Programs Pairs
Type IV UID Pairs
Type III UIDs
Type V Network Triplets
Type VI Time Strings
132
Type Viii Scalars
Type VII Flags
134
Buffer Overflow Template
Table A-3 Execute on Stack Alert Properties
Name Type Default Value
Execute on Stack
Table A-2 Template Properties
136
Table A-4 Unusual Argument Length Alert Properties
Unusual Argument Length
138
Argument with Non-printable Character
Appendix a 139
140
Table A-6 Template Properties
Race Condition Template
File Reference Modification
Table A-7 File Reference Modification Alert Properties
142
Appendix a 143
Privileged Setuid Script Executed
Table A-8 Setuid Script Executed Alert Properties
144
Appendix a 145
Modification of Files/Directories Template
Table A-9 Template Properties
146
Properties
148
Table A-10 File Being Modified Alert Properties
File Being Modified
150
Appendix a 151
Changes to Log File Template
Table A-11 Template Properties
152
Table A-12 Append-Only File Being Modified Alert Properties
Append-Only File Being Modified
154
By this template
Creation of Setuid File Template
Table A-13 Template Properties
Alerts generated
Setuid File Created
Table A-14 Setuid File Created Alert Properties
156
Appendix a 157
Creation of World-Writable File Template
Table A-15 Template Properties
158
Table A-16 World-writable File Created Alert Properties
World-Writable File Created
160
Appendix a 161
162
Table A-17 Template Properties
Modification of Another User’s File Template
Non-owned File Being Modified
Table A-18 Non-owned File Being Modified Alert Properties
164
Appendix a 165
Limitations 166
Table A-19 Template Properties
Login/Logout Template
168
Table A-20 Login/Logout Alert Properties
Login/Logout
Successful su Detected
Table A-21 Successful su Detected Alert Properties
170
Appendix a 171
172
Repeated Failed Logins Template
Table A-22 Template Properties
Template How this template
Failed Login Attempts
Table A-23 Failed Login Attempts Alert Properties
174
Appendix a 175
Table A-25 Repeated Failed Su Attempts Alert Properties
Repeated Failed su Commands Template
Repeated Failed su Attempts
Table A-24 Template Properties
Appendix a 177
178
Template Configuration Syntax
Appendix a 179
180
Automated Response
182
Response Methods
General Guidelines
184
Programming Notes
How Automated Response Works in HP-UX Hids
Alert Process
Security checks
186
Table B-1 Additional Arguments Passed to Response Programs
Appendix B 187
Table B-3 Environment Variables Set for Response Programs
Name Value Description
188
Appendix B 189
190
Programming Guidelines
Writing Perl vs. Shell Response Scripts
Writing Privileged Response Programs
Solution a
Code Examples
Code for scriptA.sh
192
Solution B
Code for privA program
Code for PrivB program
Solution C
Code for privC program
Code for scriptC.sh script #!/usr/bin/sh
194
Sample Response Programs
Sample C Language Program Source Code
Sample Shell Script Alert Responses
196
Forwarding Information
Appendix B 197
198
Halting any further attacks
Appendix B 199
200
Preservation of evidence
Appendix B 201
202
Restoration of a known good state
HP OpenView Operations Smart Plug-In
OVO Enablement in HP-UX Hids
204
Idsagent Command
206
Synopsis Options
Idsagent Command
208
Example
Idsadmin Command
210
Synopsis Startup Options
Idsadmin Command
212
Commands
Agent Configuration File
214
Forcing Active Agent to Reread Configuration File
Agent Configuration File
216
Name Default Value
Global Configuration
Table E-1 Global Configuration Variables
DSP idskernDSP Parameters
Data Source Process Configuration
Kernel Audit Data DSP
Table E-2
218
Remote Communication Configuration
Table E-3
Correlator Configuration Variables
220
Messages
222
Agent Messages
Idsagent failed to start group
Idsagent failed to reopen stderr in append mode
Idsagent internal error in handling signature groups
Idsagent failed to initialize configuration module
Idsagent unable to setup Sigsegv signal handler
Idsagent unable to setup Sigchld signal handler
Idsagent unable to setup Sighup signal handler
Idsagent unable to setup signal handler
Idsagent failed to execute correlator corr
Idsagent error trying to shutdown a process
Idsagent failed to allocate memory
Idsagent failed to create schedule path filename
Idsagent failed to initialize schedule in crontab
Idsagent internal error no correlator in PMStartProcesses
Idsagent internal error occurred in PMStopGroup
Idsagent failed to initialize schedule
Idsagent out of process table space
Idsagent not enough disk space to create schedule
Idsagent not enough disk space to parse schedule
Idsagent not enough disk space to save config file
Internal error
Internal error unknown state
Unable to open the response script directory dir
System Manager Messages
Invalid Property Value value Property Value Error
Exception while opening file filename File Save Error
Incomplete or Invalid Entry Data Entry Error
Invalid Host State Unable to disable host
Select Property to be edited Selection Error
No more instances of searchstring found Find Error
Only one property may be edited at a time Selection Error
Searchstring not found Find Error
Select Surveillance Schedule to delete Selection Error
Select Surveillance Group Name to delete Selection Error
Select Surveillance Group to copy Selection Error
Select Surveillance Schedule to copy Selection Error
234
Surveillance Schedule not selected Schedule Selection Error
Following hosts are in an invalid state for this command
Unable to Overwrite filename File Save Error
Unknown IP Address unable to resolve Host Name
Unknown Host unable to resolve IP Address IPaddress
236
Troubleshooting
238
Appendix G 239
Troubleshooting
Agent and System Manager cannot communicate with each other
240
$ /usr/sbin/kmtune -q enableidds
Agent does not start on system boot
242
Agent needs further troubleshooting
To clean up the IDS message queues
Agent host appears to hang and/or you see message disk full
Alerts are not being displayed in the alert browser
Agent does not start after installation
Agents appear to be stuck in polling status
Alert date/time sort seems inconsistent
244
Idsadmin needs installed agent certificates
Buffer overflow triggers false positives
Duplicate alerts appear in System Manager
IDSgenAdminKeys or idsgui quits early
IDScheckInstall fails with a kmtune error
246
Large files in /var/opt/ids
Log files are filling up
No Agent Available
Schedule Manager timetable screen appears to hang
SSH does not perform a clean exit after idsgent is started
System Manager appears to hang
System Manager does not start after idsgui is started
248
Using HP-UX Hids with IPFilter and SecureShell
Unknown program and arguments in certain alert messages
IPFilter rules for HP-UX Hids
250
How to allow the SecureShell daemon to forward X11 traffic
Appendix G 251
252
Appendix H 253
HP Software License
254
OpenSSL License
Appendix H 255
Original SSLeay License
256
HP Software License Terms
258
Related manuals
Manual
55 pages
31.55 Kb
Manual
20 pages
7.92 Kb
Related pages
Troubleshooting Guide for Sim2 Multimedia RTX55H
SFP Input/Output Specifications for Enterasys Networks X16-C
Post Error Messages List for Acer Veriton 3600GT/3600V
Circuit Diagram For 230 Volts Model for Miller Electric HF-251-2
How to Navigate Menus for Samsung PC490-ZC
Installation for Franke Consumer Products FMY 367
Parts List for Electronic AIR Cleaners for Emerson 16C26S-010
Language code list for Samsung HT-Z320R/XET
How do
HPE SSA CLI commands
improve storage management?
Top
Page
Image
Contents