Manuals / HP / Computer Equipment / Software

HP Host Intrusion Detection System (HIDS) manual Preservation of evidence, 200

Models: Host Intrusion Detection System (HIDS)

1 270

Download 270 pages 6.58 Kb

Page 212

Automated Response

Sample Response Programs

NOTE

IMPORTANT

Preservation of evidence

Consult your local legal counsel to determine what steps must be taken to preserve evidence for use in court. The example scripts presented below do not meet the legal requirements for preservation of evidence.

Putting a process to sleep It may be necessary to preserve the evidence of an intrusion for later analysis. In this example, a process which has caused an alert will be stopped. Any activity by the process will be halted; the process's memory image can be analyzed at a later time.

This script requires privilege and should not be installed as a setuid privileged script. This script is for illustration purposes only. Please refer to “Writing Privileged Response Programs” on page 190 for help on how to safely write a privileged response program.

#!/usr/bin/sh

##Sample HP-UX HIDS alert response script

##Stop a process which has performed an intrusive activity. RECIPIENT=”root”

#If we have a file modification alert if [ $1 = “2” ]

then

#and if the target of the attack is the password file if [ ${17} = “/etc/passwd” ]; then

#obtain the process id from the alert pid=${11}

echo “Critical intrusion: halting process ${pid} running ${24} t hat modified /etc/passwd” \

/usr/bin/mailx -s “$7” ${RECIPIENT} kill -STOP ${pid}

fi

fi

200	Appendix B

Image 212

HP Host Intrusion Detection System (HIDS) manual Preservation of evidence, 200

Contents

Manufacturing Part Number J5083-90013 December HP-UX Host Intrusion Detection System Administrator’s GuideEdition Warranty Government LicenseTrademarks IiiConventions Contents System Manager Screen Schedule Manager ScreenVii Host Manager ScreenNetwork Node Screen Viii Preferences ScreenTemplates and Alerts Idsagent Command Idsadmin CommandAutomated Response Agent Conﬁguration FileHP Software License TroubleshootingMessages Original SSLeay License HP Software License Terms Xii Overview Summary DocumentationWhy Do You Need Intrusion Detection? Loss of Financial AssetsLoss of Intellectual Property Loss of Computing ResourcesWho Are the Perpetrators? How Are These Threats Realized?Misplaced Trust Malicious CodeWhy Existing Tools Are Only Part of the Solution Excessive Privilege for Simple TasksBeing Used as a Springboard to Attack the Next Victim FirewallsEncryption Security Auditing ToolsWhere Does Intrusion Detection Fit In? What Is Intrusion Detection?What HP-UX Hids Does What HP-UX Hids Does Not Do HP-UX Hids Components Graphic RepresentationHow the Components Interact to Detect Intrusions HP-UX Hids ComponentsHP-UX Hids Secure Communications Detection TemplatesSurveillance Groups Surveillance SchedulesGlossary of HP-UX Hids Terms Intrusion Detection Data Intrusion Detection SystemKernel NodeVulnerability System ManagerVirus Glossary of HP-UX Hids Terms Chapter Conﬁguration Conﬁguration Optional IntroductionRequired Setting Up the HP-UX Hids Secure Communications Overview of Procedures to Set Up Secure CommunicationsScript to Use Where Used End Product Create the X.509 Certiﬁcates$ IDSgenAdminKeys install $ IDSgenAgentCerts TIP Transport the CertiﬁcatesInstall the Keys on Each Host $ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadminConﬁguring a Multihomed Agent System StepExample $ nslookup large2Conﬁguring a Multihomed Administration System To conﬁgure a multihomed administration systemEdit the agent conﬁguration ﬁle for example Conﬁguring a Loopback System To conﬁgure a loopback systemWorking with Firewalls Conﬁguring PortsWorking with NIS Enabling Large Numbers of Agents Enabling Over 23 Agents Thread LimitsTo change the value of maxthreadproc Select Kernel Conﬁguration Select Conﬁgurable ParametersEnabling Over 20 Inbound Requests To view and change the value of tcpconnrequestmaxAccessing Manpages Restricting PermissionsRuntime File Permissions Files PermissionsAccessing Manpages Chapter Getting Started Getting Started Agents System ManagerSet up hosts and run schedules Starting HP-UX Hids for the First TimeSee , Host Manager Screen, on Operations Screens Schedule ManagerHost Manager Network NodeBasic Screen Actions Selecting Entries in ListsSearching Entries Sorting EntriesBasic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen Starting the HP-UX Hids System Manager Stopping the HP-UX Hids System ManagerTo start the HP-UX Hids System Manager To stop the HP-UX Hids System ManagerStatus Value Description On the System Manager ScreenStatus Field Values On the System Manager screen Getting the Status of Agent HostsTo get the status of agent hosts Resynchronizing Agent Hosts To resynchronize agent hostsChoose the Actions Activate Schedule menu item Activating a Schedule on Agent HostsTo activate a surveillance schedule on agent hosts Stopping Schedules on Agent Hosts To stop a surveillance schedule on agent hostsStarting HP-UX Hids Agents To start the agentTo halt the agent locally on the agent host Halting HP-UX Hids AgentsTo halt agents remotely from the System Manager Accessing Other Screens Go to Schedule Manager ScreenGo to Host Manager Screen To go to the Schedule Manager screenReturn to System Manager Screen Go to Network Node ScreenGo to Preferences Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager Creating a Surveillance Schedule To create a surveillance scheduleDisplaying the Schedule Manager Screen Closing the Schedule Manager ScreenTo display the Schedule Manager screen To close the Schedule Manager screenConﬁguring Surveillance Schedules Creating a New Surveillance ScheduleCopying a Surveillance Schedule To create a new surveillance scheduleModifying a Surveillance Schedule To modify a surveillance scheduleChoose File Save Selected Schedule As Renaming a Surveillance ScheduleTo rename a surveillance schedule To delete a surveillance schedule Deleting a Surveillance ScheduleUndoing and Redoing Changes Choose File Save Selected Schedule Saving a Surveillance ScheduleTo save a surveillance schedule Conﬁguring Surveillance Groups Creating a New Surveillance GroupCopying a Surveillance Group To create a new surveillance groupModifying a Surveillance Group To modify a surveillance groupTo rename a surveillance group Renaming a Surveillance GroupRename Surveillance Group Dialog To delete a surveillance group Deleting a Surveillance GroupSaving a Surveillance Group To change the value of a property in a detection template Conﬁguring Detection TemplatesModifying a Property Value In a Template Edit List Dialog To add a new valueSuggested Best Practices 11Edit Dialog EditSome Template Conﬁguration Guidelines Setting Surveillance Schedule Timetables Specifying When a Schedule Will Run To specify when a schedule will runCanceling Changes See Saving a Surveillance Schedule on Viewing Surveillance Schedule Details Viewing the Source of a Surveillance ScheduleRefreshing the Details Display To view the source of a surveillance scheduleClearing the Details Display Saving the Details DisplaySave Dialog To clear the displayPredeﬁned Surveillance Schedules and Groups Predeﬁned Surveillance SchedulesPredeﬁned Surveillance Schedules Host Manager Screen Host Manager Screen Managing Hosts Displaying the Host Manager ScreenClosing the Host Manager Screen Adding New Hosts Adding a New Host ManuallyAdd Host Dialog To add a new host manuallyIP Address Host NameAddress ﬁeld Adding New Hosts from /etc/hosts Name ﬁeldHost Name and IP Address To add new hosts from /etc/hostsAdding New Hosts from a File Rules for Host Lists FilesOpen Dialog To add new hosts from a ﬁleModifying a Host To modify a host entryDeleting Hosts To delete a host entryTo enable or disable an agent host for monitoring Enabling and Disabling HostsManaging Tags Add, modify or delete tags To add a tagTo edit a tag To delete a tagSaving the Host List in a Different File Maintaining Host FilesSaving the Host List in the Current File Using an Alternate Host List File Using Multiple Host FilesMaintaining Host Files Chapter Network Node Screen 100 Network Node Screen Opening a Network Node ScreenClosing a Network Node Screen To display the Network Node screen for an agent hostAlerts Tab 102HP-UX Hids Alerts What They Mean, What to Do 104 Errors TabHP-UX Hids Errors What They Mean, What to Do General Operations Selecting EntriesSelecting with the Mouse Simple VersionFind Dialog Searching for the Next Unseen EntrySearching for a String To delete one or more alerts or errors Deleting an EntryMarking Entries as Seen or Unseen To search againUnseen 108Saving a Log File Set Network Node screen from the System Manager screenSaving the Current Log File Set Saving a New Log File SetSave Dialog Box Press Ctrl-AExample Creating a New File Set Example Saving the File Set over Another File SetOpen Dialog Box Opening a Log File SetLog File Rotation 112 Preferences Screen 114 Preferences Screen Option Default Description General PreferencesTo choosing Actions Status Poll from the System Manager 116Actions Resync from the System Manager screen Column Name Default Description Browser PreferencesAlert Events Preferences 118Error Events Preferences Column Default Description NameSystem Manager Subtab 120Templates and Alerts Alerts LimitationsProperty Types TemplatesAttack Detected Alert Alert Severity Detection Template Alert SummaryTable A-1 Detection Templates 124 Appendix a 125 126 Unix Regular ExpressionsExamples Appendix a 127 Limitations 128Template Property Types Type I Pathnames to Not MonitorType II Pathnames/Programs Pairs 130Type III UIDs Type IV UID Pairs132 Type V Network TripletsType VI Time Strings Type VII Flags Type Viii ScalarsBuffer Overﬂow Template 134Name Type Default Value Execute on StackTable A-2 Template Properties Table A-3 Execute on Stack Alert Properties136 Unusual Argument Length Table A-4 Unusual Argument Length Alert PropertiesArgument with Non-printable Character 138Appendix a 139 140 Race Condition Template Table A-6 Template Properties142 File Reference ModiﬁcationTable A-7 File Reference Modiﬁcation Alert Properties Appendix a 143 144 Privileged Setuid Script ExecutedTable A-8 Setuid Script Executed Alert Properties Appendix a 145 146 Modiﬁcation of Files/Directories TemplateTable A-9 Template Properties Properties 148 File Being Modiﬁed Table A-10 File Being Modiﬁed Alert Properties150 Appendix a 151 152 Changes to Log File TemplateTable A-11 Template Properties Append-Only File Being Modiﬁed Table A-12 Append-Only File Being Modiﬁed Alert Properties154 Creation of Setuid File Template Table A-13 Template PropertiesAlerts generated By this template156 Setuid File CreatedTable A-14 Setuid File Created Alert Properties Appendix a 157 158 Creation of World-Writable File TemplateTable A-15 Template Properties World-Writable File Created Table A-16 World-writable File Created Alert Properties160 Appendix a 161 162 Modiﬁcation of Another User’s File Template Table A-17 Template Properties164 Non-owned File Being ModiﬁedTable A-18 Non-owned File Being Modiﬁed Alert Properties Appendix a 165 Limitations 166 Login/Logout Template Table A-19 Template Properties168 Login/Logout Table A-20 Login/Logout Alert Properties170 Successful su DetectedTable A-21 Successful su Detected Alert Properties Appendix a 171 172 Template How this template Repeated Failed Logins TemplateTable A-22 Template Properties 174 Failed Login AttemptsTable A-23 Failed Login Attempts Alert Properties Appendix a 175 Repeated Failed su Commands Template Repeated Failed su AttemptsTable A-24 Template Properties Table A-25 Repeated Failed Su Attempts Alert PropertiesAppendix a 177 Template Conﬁguration Syntax 178Appendix a 179 180 Automated Response 182 General Guidelines Response Methods184 How Automated Response Works in HP-UX Hids Alert ProcessSecurity checks Programming NotesTable B-1 Additional Arguments Passed to Response Programs 186Appendix B 187 188 Table B-3 Environment Variables Set for Response ProgramsName Value Description Appendix B 189 Programming Guidelines Writing Perl vs. Shell Response ScriptsWriting Privileged Response Programs 190Code for scriptA.sh Solution aCode Examples Solution B Code for privA programCode for PrivB program 192Solution C 194 Code for privC programCode for scriptC.sh script #!/usr/bin/sh Sample Shell Script Alert Responses Sample Response ProgramsSample C Language Program Source Code Forwarding Information 196Appendix B 197 Halting any further attacks 198Appendix B 199 Preservation of evidence 200Appendix B 201 Restoration of a known good state 202OVO Enablement in HP-UX Hids HP OpenView Operations Smart Plug-In204 Idsagent Command 206 Idsagent Command Synopsis OptionsExample 208Idsadmin Command 210 Idsadmin Command Synopsis Startup OptionsCommands 212Agent Conﬁguration File 214 Agent Conﬁguration File Forcing Active Agent to Reread Conﬁguration FileName Default Value Global ConﬁgurationTable E-1 Global Conﬁguration Variables 216Data Source Process Conﬁguration Kernel Audit Data DSPTable E-2 DSP idskernDSP Parameters218 Correlator Conﬁguration Variables Remote Communication ConﬁgurationTable E-3 220 Messages 222 Agent Messages Idsagent failed to reopen stderr in append mode Idsagent internal error in handling signature groupsIdsagent failed to initialize conﬁguration module Idsagent failed to start groupIdsagent unable to setup Sigchld signal handler Idsagent unable to setup Sighup signal handlerIdsagent unable to setup signal handler Idsagent unable to setup Sigsegv signal handlerIdsagent error trying to shutdown a process Idsagent failed to allocate memoryIdsagent failed to create schedule path ﬁlename Idsagent failed to execute correlator corrIdsagent internal error no correlator in PMStartProcesses Idsagent internal error occurred in PMStopGroupIdsagent failed to initialize schedule Idsagent failed to initialize schedule in crontabIdsagent not enough disk space to create schedule Idsagent not enough disk space to parse scheduleIdsagent not enough disk space to save conﬁg ﬁle Idsagent out of process table spaceUnable to open the response script directory dir Internal errorInternal error unknown state System Manager Messages Exception while opening ﬁle filename File Save Error Incomplete or Invalid Entry Data Entry ErrorInvalid Host State Unable to disable host Invalid Property Value value Property Value ErrorNo more instances of searchstring found Find Error Only one property may be edited at a time Selection ErrorSearchstring not found Find Error Select Property to be edited Selection ErrorSelect Surveillance Group Name to delete Selection Error Select Surveillance Group to copy Selection ErrorSelect Surveillance Schedule to copy Selection Error Select Surveillance Schedule to delete Selection ErrorSurveillance Schedule not selected Schedule Selection Error Following hosts are in an invalid state for this commandUnable to Overwrite filename File Save Error 234Unknown Host unable to resolve IP Address IPaddress Unknown IP Address unable to resolve Host Name236 Troubleshooting 238 Appendix G 239 240 TroubleshootingAgent and System Manager cannot communicate with each other Agent does not start on system boot $ /usr/sbin/kmtune -q enableiddsAgent needs further troubleshooting To clean up the IDS message queuesAgent host appears to hang and/or you see message disk full 242Agent does not start after installation Agents appear to be stuck in polling statusAlert date/time sort seems inconsistent Alerts are not being displayed in the alert browserIdsadmin needs installed agent certiﬁcates Buffer overﬂow triggers false positivesDuplicate alerts appear in System Manager 244IDScheckInstall fails with a kmtune error IDSgenAdminKeys or idsgui quits earlyLarge ﬁles in /var/opt/ids Log ﬁles are ﬁlling upNo Agent Available 246SSH does not perform a clean exit after idsgent is started Schedule Manager timetable screen appears to hang248 System Manager appears to hangSystem Manager does not start after idsgui is started IPFilter rules for HP-UX Hids Using HP-UX Hids with IPFilter and SecureShellUnknown program and arguments in certain alert messages How to allow the SecureShell daemon to forward X11 trafﬁc 250Appendix G 251 252 HP Software License Appendix H 253OpenSSL License 254Original SSLeay License Appendix H 255256 HP Software License Terms 258