HP Host Intrusion Detection System (HIDS) manual Opening a Network Node Screen

Page 113

Network Node Screen

Network Node Screen

Network Node Screen

The Network Node screen contains lists of alerts and errors that have been detected by the related agent. Click the Alerts or Errors tab to see the lists and details panels.

Alerts are recorded on the agent host system in the ﬁle /var/opt/ids/alert.log. Errors are recorded on the agent host system in the ﬁle /var/opt/ids/error.log.

When the System Manager is running and the agent is active, copies of the alert records are sent to the administration system and added to a ﬁle named /var/opt/ids/gui/logs/hostname_alert.log, where hostname is the name of the agent host as displayed on the Host Manager screen. Error records are copied to /var/opt/ids/gui/logs/hostname_error.log.

When the System Manager is not running, the alerts and errors are not transmitted but are still stored locally.

When the Network Node screen is selected for an active agent host, it displays all the alert and error messages that are in the standard System Manager log ﬁles for the agent. If the agent host is resynchronized from the System Manager screen, the Network Node screen also displays all the previous alerts and errors that have been received from the agent. See “Resynchronizing Agent Hosts” on page 49 for more information.

Earlier alerts and errors may also be viewed by opening the log ﬁle set directly. See “Opening a Log File Set” on page 111.

By default, only the most important error messages are logged by the agent and sent to the System Manager. More detailed error logs are possible. See “The idsagent Command” on page 207 for details.

Opening a Network Node Screen

To display the Network Node screen for an agent host

Step 1. Go to the System Manager screen and do one of:

•Select a host in the Monitored Nodes list and choose the View > Network Node menu item

•Select a host in the Monitored Nodes list and press Ctrl-B

•Double-left-clickan entry in the Monitored Nodes list

The Network Node screen is displayed with the selected host name in the title bar (Figure 7-1 on page 102 or Figure 7-2 on page 104).

Closing a Network Node Screen

To close a Network Node screen

Step 1. On the Network Node screen, do one of:

•Choose the File > Close menu item

•Press Ctrl-C

If unsaved changes have been made to an open ﬁle set, they are saved automatically.

Chapter 7

101

Image 113

Contents Manufacturing Part Number J5083-90013 December HP-UX Host Intrusion Detection System Administrator’s GuideEdition Government License WarrantyIii TrademarksConventions Contents Schedule Manager Screen System Manager ScreenVii Host Manager ScreenNetwork Node Screen Viii Preferences ScreenTemplates and Alerts Idsadmin Command Idsagent CommandAutomated Response Agent Conﬁguration FileHP Software License TroubleshootingMessages Original SSLeay License HP Software License Terms Xii Overview Documentation SummaryLoss of Financial Assets Why Do You Need Intrusion Detection?Loss of Intellectual Property Loss of Computing ResourcesHow Are These Threats Realized? Who Are the Perpetrators?Misplaced Trust Malicious CodeExcessive Privilege for Simple Tasks Why Existing Tools Are Only Part of the SolutionBeing Used as a Springboard to Attack the Next Victim FirewallsSecurity Auditing Tools EncryptionWhat Is Intrusion Detection? Where Does Intrusion Detection Fit In?What HP-UX Hids Does What HP-UX Hids Does Not Do Graphic Representation HP-UX Hids ComponentsHP-UX Hids Components How the Components Interact to Detect IntrusionsDetection Templates HP-UX Hids Secure CommunicationsSurveillance Groups Surveillance SchedulesGlossary of HP-UX Hids Terms Intrusion Detection System Intrusion Detection DataKernel NodeVulnerability System ManagerVirus Glossary of HP-UX Hids Terms Chapter Conﬁguration Conﬁguration Optional IntroductionRequired Overview of Procedures to Set Up Secure Communications Setting Up the HP-UX Hids Secure CommunicationsScript to Use Where Used End Product Create the X.509 Certiﬁcates$ IDSgenAdminKeys install $ IDSgenAgentCerts Transport the Certiﬁcates TIP$ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadmin Install the Keys on Each HostStep Conﬁguring a Multihomed Agent System$ nslookup large2 ExampleTo conﬁgure a multihomed administration system Conﬁguring a Multihomed Administration SystemEdit the agent conﬁguration ﬁle for example To conﬁgure a loopback system Conﬁguring a Loopback SystemWorking with Firewalls Conﬁguring PortsWorking with NIS Enabling Over 23 Agents Thread Limits Enabling Large Numbers of AgentsTo change the value of maxthreadproc Select Kernel Conﬁguration Select Conﬁgurable ParametersTo view and change the value of tcpconnrequestmax Enabling Over 20 Inbound RequestsRestricting Permissions Accessing ManpagesRuntime File Permissions Files PermissionsAccessing Manpages Chapter Getting Started Getting Started System Manager AgentsStarting HP-UX Hids for the First Time Set up hosts and run schedulesSee , Host Manager Screen, on Schedule Manager Operations ScreensHost Manager Network NodeSelecting Entries in Lists Basic Screen ActionsSearching Entries Sorting EntriesBasic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen Stopping the HP-UX Hids System Manager Starting the HP-UX Hids System ManagerTo start the HP-UX Hids System Manager To stop the HP-UX Hids System ManagerStatus Value Description On the System Manager ScreenStatus Field Values On the System Manager screen Getting the Status of Agent HostsTo get the status of agent hosts To resynchronize agent hosts Resynchronizing Agent HostsChoose the Actions Activate Schedule menu item Activating a Schedule on Agent HostsTo activate a surveillance schedule on agent hosts To stop a surveillance schedule on agent hosts Stopping Schedules on Agent HostsTo start the agent Starting HP-UX Hids AgentsTo halt the agent locally on the agent host Halting HP-UX Hids AgentsTo halt agents remotely from the System Manager Go to Schedule Manager Screen Accessing Other ScreensGo to Host Manager Screen To go to the Schedule Manager screenReturn to System Manager Screen Go to Network Node ScreenGo to Preferences Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager To create a surveillance schedule Creating a Surveillance ScheduleClosing the Schedule Manager Screen Displaying the Schedule Manager ScreenTo display the Schedule Manager screen To close the Schedule Manager screenCreating a New Surveillance Schedule Conﬁguring Surveillance SchedulesCopying a Surveillance Schedule To create a new surveillance scheduleTo modify a surveillance schedule Modifying a Surveillance ScheduleChoose File Save Selected Schedule As Renaming a Surveillance ScheduleTo rename a surveillance schedule To delete a surveillance schedule Deleting a Surveillance ScheduleUndoing and Redoing Changes Choose File Save Selected Schedule Saving a Surveillance ScheduleTo save a surveillance schedule Creating a New Surveillance Group Conﬁguring Surveillance GroupsCopying a Surveillance Group To create a new surveillance groupTo modify a surveillance group Modifying a Surveillance GroupTo rename a surveillance group Renaming a Surveillance GroupRename Surveillance Group Dialog To delete a surveillance group Deleting a Surveillance GroupSaving a Surveillance Group To change the value of a property in a detection template Conﬁguring Detection TemplatesModifying a Property Value In a Template To add a new value Edit List Dialog11Edit Dialog Edit Suggested Best PracticesSome Template Conﬁguration Guidelines Setting Surveillance Schedule Timetables To specify when a schedule will run Specifying When a Schedule Will RunCanceling Changes See Saving a Surveillance Schedule on Viewing the Source of a Surveillance Schedule Viewing Surveillance Schedule DetailsRefreshing the Details Display To view the source of a surveillance scheduleSaving the Details Display Clearing the Details DisplaySave Dialog To clear the displayPredeﬁned Surveillance Schedules Predeﬁned Surveillance Schedules and GroupsPredeﬁned Surveillance Schedules Host Manager Screen Host Manager Screen Displaying the Host Manager Screen Managing HostsClosing the Host Manager Screen Adding a New Host Manually Adding New HostsAdd Host Dialog To add a new host manuallyIP Address Host NameAddress ﬁeld Name ﬁeld Adding New Hosts from /etc/hostsHost Name and IP Address To add new hosts from /etc/hostsRules for Host Lists Files Adding New Hosts from a FileOpen Dialog To add new hosts from a ﬁleTo modify a host entry Modifying a HostTo delete a host entry Deleting HostsEnabling and Disabling Hosts To enable or disable an agent host for monitoringAdd, modify or delete tags To add a tag Managing TagsTo delete a tag To edit a tagSaving the Host List in a Different File Maintaining Host FilesSaving the Host List in the Current File Using Multiple Host Files Using an Alternate Host List FileMaintaining Host Files Chapter Network Node Screen 100 Opening a Network Node Screen Network Node ScreenClosing a Network Node Screen To display the Network Node screen for an agent host102 Alerts TabHP-UX Hids Alerts What They Mean, What to Do 104 Errors TabHP-UX Hids Errors What They Mean, What to Do Selecting Entries General OperationsSelecting with the Mouse Simple VersionFind Dialog Searching for the Next Unseen EntrySearching for a String Deleting an Entry To delete one or more alerts or errorsMarking Entries as Seen or Unseen To search again108 UnseenNetwork Node screen from the System Manager screen Saving a Log File SetSaving the Current Log File Set Saving a New Log File SetPress Ctrl-A Save Dialog BoxExample Creating a New File Set Example Saving the File Set over Another File SetOpen Dialog Box Opening a Log File SetLog File Rotation 112 Preferences Screen 114 Preferences Screen General Preferences Option Default DescriptionTo choosing Actions Status Poll from the System Manager 116Actions Resync from the System Manager screen Browser Preferences Column Name Default DescriptionAlert Events Preferences 118Column Default Description Name Error Events Preferences120 System Manager SubtabTemplates and Alerts Limitations AlertsProperty Types TemplatesAttack Detected Alert Alert Severity Detection Template Alert SummaryTable A-1 Detection Templates 124 Appendix a 125 126 Unix Regular ExpressionsExamples Appendix a 127 128 LimitationsType I Pathnames to Not Monitor Template Property Types130 Type II Pathnames/Programs PairsType IV UID Pairs Type III UIDs132 Type V Network TripletsType VI Time Strings Type Viii Scalars Type VII Flags134 Buffer Overﬂow TemplateExecute on Stack Name Type Default ValueTable A-2 Template Properties Table A-3 Execute on Stack Alert Properties136 Table A-4 Unusual Argument Length Alert Properties Unusual Argument Length138 Argument with Non-printable CharacterAppendix a 139 140 Table A-6 Template Properties Race Condition Template142 File Reference ModiﬁcationTable A-7 File Reference Modiﬁcation Alert Properties Appendix a 143 144 Privileged Setuid Script ExecutedTable A-8 Setuid Script Executed Alert Properties Appendix a 145 146 Modiﬁcation of Files/Directories TemplateTable A-9 Template Properties Properties 148 Table A-10 File Being Modiﬁed Alert Properties File Being Modiﬁed150 Appendix a 151 152 Changes to Log File TemplateTable A-11 Template Properties Table A-12 Append-Only File Being Modiﬁed Alert Properties Append-Only File Being Modiﬁed154 Table A-13 Template Properties Creation of Setuid File TemplateAlerts generated By this template156 Setuid File CreatedTable A-14 Setuid File Created Alert Properties Appendix a 157 158 Creation of World-Writable File TemplateTable A-15 Template Properties Table A-16 World-writable File Created Alert Properties World-Writable File Created160 Appendix a 161 162 Table A-17 Template Properties Modiﬁcation of Another User’s File Template164 Non-owned File Being ModiﬁedTable A-18 Non-owned File Being Modiﬁed Alert Properties Appendix a 165 Limitations 166 Table A-19 Template Properties Login/Logout Template168 Table A-20 Login/Logout Alert Properties Login/Logout170 Successful su DetectedTable A-21 Successful su Detected Alert Properties Appendix a 171 172 Template How this template Repeated Failed Logins TemplateTable A-22 Template Properties 174 Failed Login AttemptsTable A-23 Failed Login Attempts Alert Properties Appendix a 175 Repeated Failed su Attempts Repeated Failed su Commands TemplateTable A-24 Template Properties Table A-25 Repeated Failed Su Attempts Alert PropertiesAppendix a 177 178 Template Conﬁguration SyntaxAppendix a 179 180 Automated Response 182 Response Methods General Guidelines184 Alert Process How Automated Response Works in HP-UX HidsSecurity checks Programming Notes186 Table B-1 Additional Arguments Passed to Response ProgramsAppendix B 187 188 Table B-3 Environment Variables Set for Response ProgramsName Value Description Appendix B 189 Writing Perl vs. Shell Response Scripts Programming GuidelinesWriting Privileged Response Programs 190Code for scriptA.sh Solution aCode Examples Code for privA program Solution BCode for PrivB program 192Solution C 194 Code for privC programCode for scriptC.sh script #!/usr/bin/sh Sample Shell Script Alert Responses Sample Response ProgramsSample C Language Program Source Code 196 Forwarding InformationAppendix B 197 198 Halting any further attacksAppendix B 199 200 Preservation of evidenceAppendix B 201 202 Restoration of a known good stateHP OpenView Operations Smart Plug-In OVO Enablement in HP-UX Hids204 Idsagent Command 206 Synopsis Options Idsagent Command208 ExampleIdsadmin Command 210 Synopsis Startup Options Idsadmin Command212 CommandsAgent Conﬁguration File 214 Forcing Active Agent to Reread Conﬁguration File Agent Conﬁguration FileGlobal Conﬁguration Name Default ValueTable E-1 Global Conﬁguration Variables 216Kernel Audit Data DSP Data Source Process ConﬁgurationTable E-2 DSP idskernDSP Parameters218 Correlator Conﬁguration Variables Remote Communication ConﬁgurationTable E-3 220 Messages 222 Agent Messages Idsagent internal error in handling signature groups Idsagent failed to reopen stderr in append modeIdsagent failed to initialize conﬁguration module Idsagent failed to start groupIdsagent unable to setup Sighup signal handler Idsagent unable to setup Sigchld signal handlerIdsagent unable to setup signal handler Idsagent unable to setup Sigsegv signal handlerIdsagent failed to allocate memory Idsagent error trying to shutdown a processIdsagent failed to create schedule path ﬁlename Idsagent failed to execute correlator corrIdsagent internal error occurred in PMStopGroup Idsagent internal error no correlator in PMStartProcessesIdsagent failed to initialize schedule Idsagent failed to initialize schedule in crontabIdsagent not enough disk space to parse schedule Idsagent not enough disk space to create scheduleIdsagent not enough disk space to save conﬁg ﬁle Idsagent out of process table spaceUnable to open the response script directory dir Internal errorInternal error unknown state System Manager Messages Incomplete or Invalid Entry Data Entry Error Exception while opening ﬁle filename File Save ErrorInvalid Host State Unable to disable host Invalid Property Value value Property Value ErrorOnly one property may be edited at a time Selection Error No more instances of searchstring found Find ErrorSearchstring not found Find Error Select Property to be edited Selection ErrorSelect Surveillance Group to copy Selection Error Select Surveillance Group Name to delete Selection ErrorSelect Surveillance Schedule to copy Selection Error Select Surveillance Schedule to delete Selection ErrorFollowing hosts are in an invalid state for this command Surveillance Schedule not selected Schedule Selection ErrorUnable to Overwrite filename File Save Error 234Unknown IP Address unable to resolve Host Name Unknown Host unable to resolve IP Address IPaddress236 Troubleshooting 238 Appendix G 239 240 TroubleshootingAgent and System Manager cannot communicate with each other $ /usr/sbin/kmtune -q enableidds Agent does not start on system bootTo clean up the IDS message queues Agent needs further troubleshootingAgent host appears to hang and/or you see message disk full 242Agents appear to be stuck in polling status Agent does not start after installationAlert date/time sort seems inconsistent Alerts are not being displayed in the alert browserBuffer overﬂow triggers false positives Idsadmin needs installed agent certiﬁcatesDuplicate alerts appear in System Manager 244IDSgenAdminKeys or idsgui quits early IDScheckInstall fails with a kmtune errorLog ﬁles are ﬁlling up Large ﬁles in /var/opt/idsNo Agent Available 246Schedule Manager timetable screen appears to hang SSH does not perform a clean exit after idsgent is started248 System Manager appears to hangSystem Manager does not start after idsgui is started IPFilter rules for HP-UX Hids Using HP-UX Hids with IPFilter and SecureShellUnknown program and arguments in certain alert messages 250 How to allow the SecureShell daemon to forward X11 trafﬁcAppendix G 251 252 Appendix H 253 HP Software License254 OpenSSL LicenseAppendix H 255 Original SSLeay License256 HP Software License Terms 258

Related manuals

Manual 55 pages 31.55 Kb

Manual 20 pages 7.92 Kb