HP Host Intrusion Detection System (HIDS) Automated Response, Idsagent Command, Idsadmin Command

Page 9

Contents

Modification of Another User’s File Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Non-owned File Being Modified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Login/Logout Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Login/Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Successful su Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Repeated Failed Logins Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Failed Login Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Repeated Failed su Commands Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Repeated Failed su Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Template Configuration Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

B. Automated Response

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 General Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Response Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 How Automated Response Works in HP-UX HIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 The Alert Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Security checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Programming Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Programming Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Writing Perl vs. Shell Response Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Writing Privileged Response Programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Code Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Sample Response Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Sample C Language Program Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Sample Shell Script Alert Responses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 HP OpenView Operations SMART Plug-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 OVO Enablement in HP-UX HIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

C. The idsagent Command

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 The idsagent Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

D. The idsadmin Command

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 The idsadmin Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

E. The Agent Configuration File

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

The Agent Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Forcing Active Agent to Reread Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Log File Rotation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Data Source Process Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Kernel Audit Data DSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

ix

Image 9
Contents HP-UX Host Intrusion Detection System Administrator’s Guide EditionManufacturing Part Number J5083-90013 December Government License WarrantyIii TrademarksConventions Contents Schedule Manager Screen System Manager ScreenHost Manager Screen Network Node ScreenVii Preferences Screen Templates and AlertsViii Idsadmin Command Idsagent CommandAutomated Response Agent Configuration FileTroubleshooting MessagesHP Software License Original SSLeay License HP Software License Terms Xii Overview Documentation SummaryLoss of Financial Assets Why Do You Need Intrusion Detection?Loss of Intellectual Property Loss of Computing ResourcesHow Are These Threats Realized? Who Are the Perpetrators?Misplaced Trust Malicious CodeExcessive Privilege for Simple Tasks Why Existing Tools Are Only Part of the SolutionBeing Used as a Springboard to Attack the Next Victim FirewallsSecurity Auditing Tools EncryptionWhat Is Intrusion Detection? Where Does Intrusion Detection Fit In?What HP-UX Hids Does What HP-UX Hids Does Not Do Graphic Representation HP-UX Hids ComponentsHP-UX Hids Components How the Components Interact to Detect IntrusionsDetection Templates HP-UX Hids Secure CommunicationsSurveillance Groups Surveillance SchedulesGlossary of HP-UX Hids Terms Intrusion Detection System Intrusion Detection DataKernel NodeSystem Manager VirusVulnerability Glossary of HP-UX Hids Terms Chapter Configuration Configuration Introduction RequiredOptional Overview of Procedures to Set Up Secure Communications Setting Up the HP-UX Hids Secure CommunicationsScript to Use Where Used End Product Create the X.509 Certificates$ IDSgenAdminKeys install $ IDSgenAgentCerts Transport the Certificates TIP$ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadmin Install the Keys on Each HostStep Configuring a Multihomed Agent System$ nslookup large2 ExampleTo configure a multihomed administration system Configuring a Multihomed Administration SystemEdit the agent configuration file for example To configure a loopback system Configuring a Loopback SystemConfiguring Ports Working with NISWorking with Firewalls Enabling Over 23 Agents Thread Limits Enabling Large Numbers of AgentsTo change the value of maxthreadproc Select Kernel Configuration Select Configurable ParametersTo view and change the value of tcpconnrequestmax Enabling Over 20 Inbound RequestsRestricting Permissions Accessing ManpagesRuntime File Permissions Files PermissionsAccessing Manpages Chapter Getting Started Getting Started System Manager AgentsStarting HP-UX Hids for the First Time Set up hosts and run schedulesSee , Host Manager Screen, on Schedule Manager Operations ScreensHost Manager Network NodeSelecting Entries in Lists Basic Screen ActionsSearching Entries Sorting EntriesBasic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen Stopping the HP-UX Hids System Manager Starting the HP-UX Hids System ManagerTo start the HP-UX Hids System Manager To stop the HP-UX Hids System ManagerOn the System Manager Screen Status Field ValuesStatus Value Description Getting the Status of Agent Hosts To get the status of agent hostsOn the System Manager screen To resynchronize agent hosts Resynchronizing Agent HostsActivating a Schedule on Agent Hosts To activate a surveillance schedule on agent hostsChoose the Actions Activate Schedule menu item To stop a surveillance schedule on agent hosts Stopping Schedules on Agent HostsTo start the agent Starting HP-UX Hids AgentsHalting HP-UX Hids Agents To halt agents remotely from the System ManagerTo halt the agent locally on the agent host Go to Schedule Manager Screen Accessing Other ScreensGo to Host Manager Screen To go to the Schedule Manager screenGo to Network Node Screen Go to Preferences ScreenReturn to System Manager Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager To create a surveillance schedule Creating a Surveillance ScheduleClosing the Schedule Manager Screen Displaying the Schedule Manager ScreenTo display the Schedule Manager screen To close the Schedule Manager screenCreating a New Surveillance Schedule Configuring Surveillance SchedulesCopying a Surveillance Schedule To create a new surveillance scheduleTo modify a surveillance schedule Modifying a Surveillance ScheduleRenaming a Surveillance Schedule To rename a surveillance scheduleChoose File Save Selected Schedule As Deleting a Surveillance Schedule Undoing and Redoing ChangesTo delete a surveillance schedule Saving a Surveillance Schedule To save a surveillance scheduleChoose File Save Selected Schedule Creating a New Surveillance Group Configuring Surveillance GroupsCopying a Surveillance Group To create a new surveillance groupTo modify a surveillance group Modifying a Surveillance GroupRenaming a Surveillance Group Rename Surveillance Group DialogTo rename a surveillance group Deleting a Surveillance Group Saving a Surveillance GroupTo delete a surveillance group Configuring Detection Templates Modifying a Property Value In a TemplateTo change the value of a property in a detection template To add a new value Edit List Dialog11Edit Dialog Edit Suggested Best PracticesSome Template Configuration Guidelines Setting Surveillance Schedule Timetables To specify when a schedule will run Specifying When a Schedule Will RunCanceling Changes See Saving a Surveillance Schedule on Viewing the Source of a Surveillance Schedule Viewing Surveillance Schedule DetailsRefreshing the Details Display To view the source of a surveillance scheduleSaving the Details Display Clearing the Details DisplaySave Dialog To clear the displayPredefined Surveillance Schedules Predefined Surveillance Schedules and GroupsPredefined Surveillance Schedules Host Manager Screen Host Manager Screen Displaying the Host Manager Screen Managing HostsClosing the Host Manager Screen Adding a New Host Manually Adding New HostsAdd Host Dialog To add a new host manuallyHost Name Address fieldIP Address Name field Adding New Hosts from /etc/hostsHost Name and IP Address To add new hosts from /etc/hostsRules for Host Lists Files Adding New Hosts from a FileOpen Dialog To add new hosts from a fileTo modify a host entry Modifying a HostTo delete a host entry Deleting HostsEnabling and Disabling Hosts To enable or disable an agent host for monitoringAdd, modify or delete tags To add a tag Managing TagsTo delete a tag To edit a tagMaintaining Host Files Saving the Host List in the Current FileSaving the Host List in a Different File Using Multiple Host Files Using an Alternate Host List FileMaintaining Host Files Chapter Network Node Screen 100 Opening a Network Node Screen Network Node ScreenClosing a Network Node Screen To display the Network Node screen for an agent host102 Alerts TabHP-UX Hids Alerts What They Mean, What to Do Errors Tab HP-UX Hids Errors What They Mean, What to Do104 Selecting Entries General OperationsSelecting with the Mouse Simple VersionSearching for the Next Unseen Entry Searching for a StringFind Dialog Deleting an Entry To delete one or more alerts or errorsMarking Entries as Seen or Unseen To search again108 UnseenNetwork Node screen from the System Manager screen Saving a Log File SetSaving the Current Log File Set Saving a New Log File SetPress Ctrl-A Save Dialog BoxExample Creating a New File Set Example Saving the File Set over Another File SetOpening a Log File Set Log File RotationOpen Dialog Box 112 Preferences Screen 114 Preferences Screen General Preferences Option Default DescriptionTo choosing Actions Status Poll from the System Manager 116Actions Resync from the System Manager screen Browser Preferences Column Name Default DescriptionAlert Events Preferences 118Column Default Description Name Error Events Preferences120 System Manager SubtabTemplates and Alerts Limitations AlertsProperty Types TemplatesAlert Summary Table A-1 Detection TemplatesAttack Detected Alert Alert Severity Detection Template 124 Appendix a 125 Unix Regular Expressions Examples126 Appendix a 127 128 LimitationsType I Pathnames to Not Monitor Template Property Types130 Type II Pathnames/Programs PairsType IV UID Pairs Type III UIDsType V Network Triplets Type VI Time Strings132 Type Viii Scalars Type VII Flags134 Buffer Overflow TemplateExecute on Stack Name Type Default ValueTable A-2 Template Properties Table A-3 Execute on Stack Alert Properties136 Table A-4 Unusual Argument Length Alert Properties Unusual Argument Length138 Argument with Non-printable CharacterAppendix a 139 140 Table A-6 Template Properties Race Condition TemplateFile Reference Modification Table A-7 File Reference Modification Alert Properties142 Appendix a 143 Privileged Setuid Script Executed Table A-8 Setuid Script Executed Alert Properties144 Appendix a 145 Modification of Files/Directories Template Table A-9 Template Properties146 Properties 148 Table A-10 File Being Modified Alert Properties File Being Modified150 Appendix a 151 Changes to Log File Template Table A-11 Template Properties152 Table A-12 Append-Only File Being Modified Alert Properties Append-Only File Being Modified154 Table A-13 Template Properties Creation of Setuid File TemplateAlerts generated By this templateSetuid File Created Table A-14 Setuid File Created Alert Properties156 Appendix a 157 Creation of World-Writable File Template Table A-15 Template Properties158 Table A-16 World-writable File Created Alert Properties World-Writable File Created160 Appendix a 161 162 Table A-17 Template Properties Modification of Another User’s File TemplateNon-owned File Being Modified Table A-18 Non-owned File Being Modified Alert Properties164 Appendix a 165 Limitations 166 Table A-19 Template Properties Login/Logout Template168 Table A-20 Login/Logout Alert Properties Login/LogoutSuccessful su Detected Table A-21 Successful su Detected Alert Properties170 Appendix a 171 172 Repeated Failed Logins Template Table A-22 Template PropertiesTemplate How this template Failed Login Attempts Table A-23 Failed Login Attempts Alert Properties174 Appendix a 175 Repeated Failed su Attempts Repeated Failed su Commands TemplateTable A-24 Template Properties Table A-25 Repeated Failed Su Attempts Alert PropertiesAppendix a 177 178 Template Configuration SyntaxAppendix a 179 180 Automated Response 182 Response Methods General Guidelines184 Alert Process How Automated Response Works in HP-UX HidsSecurity checks Programming Notes186 Table B-1 Additional Arguments Passed to Response ProgramsAppendix B 187 Table B-3 Environment Variables Set for Response Programs Name Value Description188 Appendix B 189 Writing Perl vs. Shell Response Scripts Programming GuidelinesWriting Privileged Response Programs 190Solution a Code ExamplesCode for scriptA.sh Code for privA program Solution BCode for PrivB program 192Solution C Code for privC program Code for scriptC.sh script #!/usr/bin/sh194 Sample Response Programs Sample C Language Program Source CodeSample Shell Script Alert Responses 196 Forwarding InformationAppendix B 197 198 Halting any further attacksAppendix B 199 200 Preservation of evidenceAppendix B 201 202 Restoration of a known good stateHP OpenView Operations Smart Plug-In OVO Enablement in HP-UX Hids204 Idsagent Command 206 Synopsis Options Idsagent Command208 ExampleIdsadmin Command 210 Synopsis Startup Options Idsadmin Command212 CommandsAgent Configuration File 214 Forcing Active Agent to Reread Configuration File Agent Configuration FileGlobal Configuration Name Default ValueTable E-1 Global Configuration Variables 216Kernel Audit Data DSP Data Source Process ConfigurationTable E-2 DSP idskernDSP Parameters218 Remote Communication Configuration Table E-3Correlator Configuration Variables 220 Messages 222 Agent Messages Idsagent internal error in handling signature groups Idsagent failed to reopen stderr in append modeIdsagent failed to initialize configuration module Idsagent failed to start groupIdsagent unable to setup Sighup signal handler Idsagent unable to setup Sigchld signal handlerIdsagent unable to setup signal handler Idsagent unable to setup Sigsegv signal handlerIdsagent failed to allocate memory Idsagent error trying to shutdown a processIdsagent failed to create schedule path filename Idsagent failed to execute correlator corrIdsagent internal error occurred in PMStopGroup Idsagent internal error no correlator in PMStartProcessesIdsagent failed to initialize schedule Idsagent failed to initialize schedule in crontabIdsagent not enough disk space to parse schedule Idsagent not enough disk space to create scheduleIdsagent not enough disk space to save config file Idsagent out of process table spaceInternal error Internal error unknown stateUnable to open the response script directory dir System Manager Messages Incomplete or Invalid Entry Data Entry Error Exception while opening file filename File Save ErrorInvalid Host State Unable to disable host Invalid Property Value value Property Value ErrorOnly one property may be edited at a time Selection Error No more instances of searchstring found Find ErrorSearchstring not found Find Error Select Property to be edited Selection ErrorSelect Surveillance Group to copy Selection Error Select Surveillance Group Name to delete Selection ErrorSelect Surveillance Schedule to copy Selection Error Select Surveillance Schedule to delete Selection ErrorFollowing hosts are in an invalid state for this command Surveillance Schedule not selected Schedule Selection ErrorUnable to Overwrite filename File Save Error 234Unknown IP Address unable to resolve Host Name Unknown Host unable to resolve IP Address IPaddress236 Troubleshooting 238 Appendix G 239 Troubleshooting Agent and System Manager cannot communicate with each other240 $ /usr/sbin/kmtune -q enableidds Agent does not start on system bootTo clean up the IDS message queues Agent needs further troubleshootingAgent host appears to hang and/or you see message disk full 242Agents appear to be stuck in polling status Agent does not start after installationAlert date/time sort seems inconsistent Alerts are not being displayed in the alert browserBuffer overflow triggers false positives Idsadmin needs installed agent certificatesDuplicate alerts appear in System Manager 244IDSgenAdminKeys or idsgui quits early IDScheckInstall fails with a kmtune errorLog files are filling up Large files in /var/opt/idsNo Agent Available 246Schedule Manager timetable screen appears to hang SSH does not perform a clean exit after idsgent is startedSystem Manager appears to hang System Manager does not start after idsgui is started248 Using HP-UX Hids with IPFilter and SecureShell Unknown program and arguments in certain alert messagesIPFilter rules for HP-UX Hids 250 How to allow the SecureShell daemon to forward X11 trafficAppendix G 251 252 Appendix H 253 HP Software License254 OpenSSL LicenseAppendix H 255 Original SSLeay License256 HP Software License Terms 258
Related manuals
Manual 55 pages 31.55 Kb Manual 20 pages 7.92 Kb