Manuals / HP / Computer Equipment / Software

HP Host Intrusion Detection System (HIDS) manual 150

Models: Host Intrusion Detection System (HIDS)

1 270

Download 270 pages 6.58 Kb

Page 162

Templates and Alerts

Modiﬁcation of Files/Directories Template

Table A-10		File Being Modiﬁed Alert Properties (Continued)

	Response	Alert	Alert
	Program	Alert	Field	Alert Value/Format	Description
	Program	Field	Field	Alert Value/Format	Description
	Argument	Field	Type
	Argument		Type

	argv[8]	Details	String	“User with uid<uid> <performed action on	Detailed alert
				the ﬁle> <full pathname> (type=<type>,	description
				inode=<inode>, device=<device>) when
				executing
				<program>(type=<type>,inode=<inode>,devi
				ce=<device>), invoked as follows:
				<argv[0]><argv[1]>..., as process with pid
				<pid> and ppid <ppid> and running with
				effective uid=<euid> and with effective
				gid=<egid>.
				where <performed action on the ﬁle> is set
				to one of the following:
				"changed the owner of"
				"changed the permission of"
				"opened for modiﬁcation/truncation"
				"renamed the ﬁle"
				"created the ﬁle (and overwrote any existing
				ﬁle) named"
				"truncated the ﬁle"
				"created as a hard link"
				"created as a symbolic link"
				"created the directory"
				"created the ﬁle"
				"created the character special ﬁle"
				"created the block special ﬁle"
				“created the pipe (ﬁfo) ﬁle”
				"deleted the ﬁle"
				"deleted the directory"
				"performed system call <#> on the ﬁle"

	argv[9]	Local	Integer	<secs>	Local time in
		Time			number of seconds
					since epoch when
					ﬁle is modiﬁed.

150	Appendix A

Image 162

HP Host Intrusion Detection System (HIDS) manual 150

Contents

HP-UX Host Intrusion Detection System Administrator’s Guide EditionManufacturing Part Number J5083-90013 December Warranty Government LicenseTrademarks IiiConventions Contents System Manager Screen Schedule Manager ScreenHost Manager Screen Network Node ScreenVii Preferences Screen Templates and AlertsViii Automated Response Idsagent CommandIdsadmin Command Agent Conﬁguration FileTroubleshooting MessagesHP Software License Original SSLeay License HP Software License Terms Xii Overview Summary DocumentationLoss of Intellectual Property Why Do You Need Intrusion Detection?Loss of Financial Assets Loss of Computing ResourcesMisplaced Trust Who Are the Perpetrators?How Are These Threats Realized? Malicious CodeBeing Used as a Springboard to Attack the Next Victim Why Existing Tools Are Only Part of the SolutionExcessive Privilege for Simple Tasks FirewallsEncryption Security Auditing ToolsWhere Does Intrusion Detection Fit In? What Is Intrusion Detection?What HP-UX Hids Does What HP-UX Hids Does Not Do HP-UX Hids Components Graphic RepresentationHow the Components Interact to Detect Intrusions HP-UX Hids ComponentsSurveillance Groups HP-UX Hids Secure CommunicationsDetection Templates Surveillance SchedulesGlossary of HP-UX Hids Terms Kernel Intrusion Detection DataIntrusion Detection System NodeSystem Manager VirusVulnerability Glossary of HP-UX Hids Terms Chapter Conﬁguration Conﬁguration Introduction RequiredOptional Script to Use Where Used End Product Setting Up the HP-UX Hids Secure CommunicationsOverview of Procedures to Set Up Secure Communications Create the X.509 Certiﬁcates$ IDSgenAdminKeys install $ IDSgenAgentCerts TIP Transport the CertiﬁcatesInstall the Keys on Each Host $ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadminConﬁguring a Multihomed Agent System StepExample $ nslookup large2Conﬁguring a Multihomed Administration System To conﬁgure a multihomed administration systemEdit the agent conﬁguration ﬁle for example Conﬁguring a Loopback System To conﬁgure a loopback systemConﬁguring Ports Working with NISWorking with Firewalls To change the value of maxthreadproc Enabling Large Numbers of AgentsEnabling Over 23 Agents Thread Limits Select Kernel Conﬁguration Select Conﬁgurable ParametersEnabling Over 20 Inbound Requests To view and change the value of tcpconnrequestmaxRuntime File Permissions Accessing ManpagesRestricting Permissions Files PermissionsAccessing Manpages Chapter Getting Started Getting Started Agents System ManagerSet up hosts and run schedules Starting HP-UX Hids for the First TimeSee , Host Manager Screen, on Host Manager Operations ScreensSchedule Manager Network NodeSearching Entries Basic Screen ActionsSelecting Entries in Lists Sorting EntriesBasic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen To start the HP-UX Hids System Manager Starting the HP-UX Hids System ManagerStopping the HP-UX Hids System Manager To stop the HP-UX Hids System ManagerOn the System Manager Screen Status Field ValuesStatus Value Description Getting the Status of Agent Hosts To get the status of agent hostsOn the System Manager screen Resynchronizing Agent Hosts To resynchronize agent hostsActivating a Schedule on Agent Hosts To activate a surveillance schedule on agent hostsChoose the Actions Activate Schedule menu item Stopping Schedules on Agent Hosts To stop a surveillance schedule on agent hostsStarting HP-UX Hids Agents To start the agentHalting HP-UX Hids Agents To halt agents remotely from the System ManagerTo halt the agent locally on the agent host Go to Host Manager Screen Accessing Other ScreensGo to Schedule Manager Screen To go to the Schedule Manager screenGo to Network Node Screen Go to Preferences ScreenReturn to System Manager Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager Creating a Surveillance Schedule To create a surveillance scheduleTo display the Schedule Manager screen Displaying the Schedule Manager ScreenClosing the Schedule Manager Screen To close the Schedule Manager screenCopying a Surveillance Schedule Conﬁguring Surveillance SchedulesCreating a New Surveillance Schedule To create a new surveillance scheduleModifying a Surveillance Schedule To modify a surveillance scheduleRenaming a Surveillance Schedule To rename a surveillance scheduleChoose File Save Selected Schedule As Deleting a Surveillance Schedule Undoing and Redoing ChangesTo delete a surveillance schedule Saving a Surveillance Schedule To save a surveillance scheduleChoose File Save Selected Schedule Copying a Surveillance Group Conﬁguring Surveillance GroupsCreating a New Surveillance Group To create a new surveillance groupModifying a Surveillance Group To modify a surveillance groupRenaming a Surveillance Group Rename Surveillance Group DialogTo rename a surveillance group Deleting a Surveillance Group Saving a Surveillance GroupTo delete a surveillance group Conﬁguring Detection Templates Modifying a Property Value In a TemplateTo change the value of a property in a detection template Edit List Dialog To add a new valueSuggested Best Practices 11Edit Dialog EditSome Template Conﬁguration Guidelines Setting Surveillance Schedule Timetables Specifying When a Schedule Will Run To specify when a schedule will runCanceling Changes See Saving a Surveillance Schedule on Refreshing the Details Display Viewing Surveillance Schedule DetailsViewing the Source of a Surveillance Schedule To view the source of a surveillance scheduleSave Dialog Clearing the Details DisplaySaving the Details Display To clear the displayPredeﬁned Surveillance Schedules and Groups Predeﬁned Surveillance SchedulesPredeﬁned Surveillance Schedules Host Manager Screen Host Manager Screen Managing Hosts Displaying the Host Manager ScreenClosing the Host Manager Screen Add Host Dialog Adding New HostsAdding a New Host Manually To add a new host manuallyHost Name Address ﬁeldIP Address Host Name and IP Address Adding New Hosts from /etc/hostsName ﬁeld To add new hosts from /etc/hostsOpen Dialog Adding New Hosts from a FileRules for Host Lists Files To add new hosts from a ﬁleModifying a Host To modify a host entryDeleting Hosts To delete a host entryTo enable or disable an agent host for monitoring Enabling and Disabling HostsManaging Tags Add, modify or delete tags To add a tagTo edit a tag To delete a tagMaintaining Host Files Saving the Host List in the Current FileSaving the Host List in a Different File Using an Alternate Host List File Using Multiple Host FilesMaintaining Host Files Chapter Network Node Screen 100 Closing a Network Node Screen Network Node ScreenOpening a Network Node Screen To display the Network Node screen for an agent hostAlerts Tab 102HP-UX Hids Alerts What They Mean, What to Do Errors Tab HP-UX Hids Errors What They Mean, What to Do104 Selecting with the Mouse General OperationsSelecting Entries Simple VersionSearching for the Next Unseen Entry Searching for a StringFind Dialog Marking Entries as Seen or Unseen To delete one or more alerts or errorsDeleting an Entry To search againUnseen 108Saving the Current Log File Set Saving a Log File SetNetwork Node screen from the System Manager screen Saving a New Log File SetExample Creating a New File Set Save Dialog BoxPress Ctrl-A Example Saving the File Set over Another File SetOpening a Log File Set Log File RotationOpen Dialog Box 112 Preferences Screen 114 Preferences Screen To choosing Actions Status Poll from the System Manager Option Default DescriptionGeneral Preferences 116Actions Resync from the System Manager screen Alert Events Preferences Column Name Default DescriptionBrowser Preferences 118Error Events Preferences Column Default Description NameSystem Manager Subtab 120Templates and Alerts Property Types AlertsLimitations TemplatesAlert Summary Table A-1 Detection TemplatesAttack Detected Alert Alert Severity Detection Template 124 Appendix a 125 Unix Regular Expressions Examples126 Appendix a 127 Limitations 128Template Property Types Type I Pathnames to Not MonitorType II Pathnames/Programs Pairs 130Type III UIDs Type IV UID PairsType V Network Triplets Type VI Time Strings132 Type VII Flags Type Viii ScalarsBuffer Overﬂow Template 134Table A-2 Template Properties Name Type Default ValueExecute on Stack Table A-3 Execute on Stack Alert Properties136 Unusual Argument Length Table A-4 Unusual Argument Length Alert PropertiesArgument with Non-printable Character 138Appendix a 139 140 Race Condition Template Table A-6 Template PropertiesFile Reference Modiﬁcation Table A-7 File Reference Modiﬁcation Alert Properties142 Appendix a 143 Privileged Setuid Script Executed Table A-8 Setuid Script Executed Alert Properties144 Appendix a 145 Modiﬁcation of Files/Directories Template Table A-9 Template Properties146 Properties 148 File Being Modiﬁed Table A-10 File Being Modiﬁed Alert Properties150 Appendix a 151 Changes to Log File Template Table A-11 Template Properties152 Append-Only File Being Modiﬁed Table A-12 Append-Only File Being Modiﬁed Alert Properties154 Alerts generated Creation of Setuid File TemplateTable A-13 Template Properties By this templateSetuid File Created Table A-14 Setuid File Created Alert Properties156 Appendix a 157 Creation of World-Writable File Template Table A-15 Template Properties158 World-Writable File Created Table A-16 World-writable File Created Alert Properties160 Appendix a 161 162 Modiﬁcation of Another User’s File Template Table A-17 Template PropertiesNon-owned File Being Modiﬁed Table A-18 Non-owned File Being Modiﬁed Alert Properties164 Appendix a 165 Limitations 166 Login/Logout Template Table A-19 Template Properties168 Login/Logout Table A-20 Login/Logout Alert PropertiesSuccessful su Detected Table A-21 Successful su Detected Alert Properties170 Appendix a 171 172 Repeated Failed Logins Template Table A-22 Template PropertiesTemplate How this template Failed Login Attempts Table A-23 Failed Login Attempts Alert Properties174 Appendix a 175 Table A-24 Template Properties Repeated Failed su Commands TemplateRepeated Failed su Attempts Table A-25 Repeated Failed Su Attempts Alert PropertiesAppendix a 177 Template Conﬁguration Syntax 178Appendix a 179 180 Automated Response 182 General Guidelines Response Methods184 Security checks How Automated Response Works in HP-UX HidsAlert Process Programming NotesTable B-1 Additional Arguments Passed to Response Programs 186Appendix B 187 Table B-3 Environment Variables Set for Response Programs Name Value Description188 Appendix B 189 Writing Privileged Response Programs Programming GuidelinesWriting Perl vs. Shell Response Scripts 190Solution a Code ExamplesCode for scriptA.sh Code for PrivB program Solution BCode for privA program 192Solution C Code for privC program Code for scriptC.sh script #!/usr/bin/sh194 Sample Response Programs Sample C Language Program Source CodeSample Shell Script Alert Responses Forwarding Information 196Appendix B 197 Halting any further attacks 198Appendix B 199 Preservation of evidence 200Appendix B 201 Restoration of a known good state 202OVO Enablement in HP-UX Hids HP OpenView Operations Smart Plug-In204 Idsagent Command 206 Idsagent Command Synopsis OptionsExample 208Idsadmin Command 210 Idsadmin Command Synopsis Startup OptionsCommands 212Agent Conﬁguration File 214 Agent Conﬁguration File Forcing Active Agent to Reread Conﬁguration FileTable E-1 Global Conﬁguration Variables Name Default ValueGlobal Conﬁguration 216Table E-2 Data Source Process ConﬁgurationKernel Audit Data DSP DSP idskernDSP Parameters218 Remote Communication Conﬁguration Table E-3Correlator Conﬁguration Variables 220 Messages 222 Agent Messages Idsagent failed to initialize conﬁguration module Idsagent failed to reopen stderr in append modeIdsagent internal error in handling signature groups Idsagent failed to start groupIdsagent unable to setup signal handler Idsagent unable to setup Sigchld signal handlerIdsagent unable to setup Sighup signal handler Idsagent unable to setup Sigsegv signal handlerIdsagent failed to create schedule path ﬁlename Idsagent error trying to shutdown a processIdsagent failed to allocate memory Idsagent failed to execute correlator corrIdsagent failed to initialize schedule Idsagent internal error no correlator in PMStartProcessesIdsagent internal error occurred in PMStopGroup Idsagent failed to initialize schedule in crontabIdsagent not enough disk space to save conﬁg ﬁle Idsagent not enough disk space to create scheduleIdsagent not enough disk space to parse schedule Idsagent out of process table spaceInternal error Internal error unknown stateUnable to open the response script directory dir System Manager Messages Invalid Host State Unable to disable host Exception while opening ﬁle filename File Save ErrorIncomplete or Invalid Entry Data Entry Error Invalid Property Value value Property Value ErrorSearchstring not found Find Error No more instances of searchstring found Find ErrorOnly one property may be edited at a time Selection Error Select Property to be edited Selection ErrorSelect Surveillance Schedule to copy Selection Error Select Surveillance Group Name to delete Selection ErrorSelect Surveillance Group to copy Selection Error Select Surveillance Schedule to delete Selection ErrorUnable to Overwrite filename File Save Error Surveillance Schedule not selected Schedule Selection ErrorFollowing hosts are in an invalid state for this command 234Unknown Host unable to resolve IP Address IPaddress Unknown IP Address unable to resolve Host Name236 Troubleshooting 238 Appendix G 239 Troubleshooting Agent and System Manager cannot communicate with each other240 Agent does not start on system boot $ /usr/sbin/kmtune -q enableiddsAgent host appears to hang and/or you see message disk full Agent needs further troubleshootingTo clean up the IDS message queues 242Alert date/time sort seems inconsistent Agent does not start after installationAgents appear to be stuck in polling status Alerts are not being displayed in the alert browserDuplicate alerts appear in System Manager Idsadmin needs installed agent certiﬁcatesBuffer overﬂow triggers false positives 244IDScheckInstall fails with a kmtune error IDSgenAdminKeys or idsgui quits earlyNo Agent Available Large ﬁles in /var/opt/idsLog ﬁles are ﬁlling up 246SSH does not perform a clean exit after idsgent is started Schedule Manager timetable screen appears to hangSystem Manager appears to hang System Manager does not start after idsgui is started248 Using HP-UX Hids with IPFilter and SecureShell Unknown program and arguments in certain alert messagesIPFilter rules for HP-UX Hids How to allow the SecureShell daemon to forward X11 trafﬁc 250Appendix G 251 252 HP Software License Appendix H 253OpenSSL License 254Original SSLeay License Appendix H 255256 HP Software License Terms 258