HP Host Intrusion Detection System (HIDS) manual

Automated Response

HP OpenView Operations SMART Plug-In

HP OpenView Operations SMART Plug-In

For customers of HP OpenView Operations (OVO), a SMART Plug-In — OVO

HPUX_HIDS-SPI — is available. By relaying messages from the HP-UX HIDS agent to the OVO message interceptor residing on the same host, HP-UX HIDS gives you the ability to manage HP-UX HIDS alerts directly from the OpenView management server.

OVO HPUX_HIDS-SPI components include the following:

•Templates designed to monitor important log ﬁles, vital processes, and real-time alerts as generated by HP-UX HIDS.

•Templates that allow monitoring of the application’s overall availability.

•Applications that let you query the status of HP-UX HIDS, and start and stop the HP-UX HIDS System Manager.

OVO HPUX_HIDS-SPI can be used with both the OVO X-Motif-based Operator GUI and the OVO Java-based Operator GUI.

The HPUX_HIDS-SPI SMART Plug-In is available for download from the OpenView SPI Gallery web site at openview.hp.com/products/smartplugins/spis/. Select “SPI Gallery” and choose the HP-UX HIDS plug-in from the list.

HP Reference For more information, see HP OpenView Operations SMART Plug-In for HP-UX Host IDS on the web at http://docs.hp.com.

OVO Enablement in HP-UX HIDS

OVO integration is enabled with two programs that are installed on every agent host in the /opt/ids/response directory. They are

/opt/ids/response/send_alert_to_vpo.sh /opt/ids/response/vpo/ids_vpoalert

The script send_alert_to_vpo.sh performs a series of tests to ensure that the script is running on a OVO managed node. If the tests pass, it calls ids_vpoalert, which generates a OVO message and uses the opcmsg() facility to send the message to the OVO message interceptor. The interceptor relays the message to the OVO management server.

If you do not have OVO or prefer not to have OVO integrated with HP-UX HIDS, then you can remove these two ﬁles from the /opt/ids/response directory.

Appendix B

203

Image 215

HP Host Intrusion Detection System (HIDS) manual HP OpenView Operations Smart Plug-In, OVO Enablement in HP-UX Hids

Contents

Manufacturing Part Number J5083-90013 December HP-UX Host Intrusion Detection System Administrator’s GuideEdition Government License Warranty Iii Trademarks Conventions Contents Schedule Manager Screen System Manager Screen Vii Host Manager ScreenNetwork Node Screen Viii Preferences ScreenTemplates and Alerts Agent Conﬁguration File Idsagent CommandIdsadmin Command Automated Response HP Software License TroubleshootingMessages Original SSLeay License HP Software License Terms Xii Overview Documentation Summary Loss of Computing Resources Why Do You Need Intrusion Detection?Loss of Financial Assets Loss of Intellectual Property Malicious Code Who Are the Perpetrators?How Are These Threats Realized? Misplaced Trust Firewalls Why Existing Tools Are Only Part of the SolutionExcessive Privilege for Simple Tasks Being Used as a Springboard to Attack the Next Victim Security Auditing Tools Encryption What Is Intrusion Detection? Where Does Intrusion Detection Fit In? What HP-UX Hids Does What HP-UX Hids Does Not Do Graphic Representation HP-UX Hids Components HP-UX Hids Components How the Components Interact to Detect Intrusions Surveillance Schedules HP-UX Hids Secure CommunicationsDetection Templates Surveillance Groups Glossary of HP-UX Hids Terms Node Intrusion Detection DataIntrusion Detection System Kernel Vulnerability System ManagerVirus Glossary of HP-UX Hids Terms Chapter Conﬁguration Conﬁguration Optional IntroductionRequired Create the X.509 Certiﬁcates Setting Up the HP-UX Hids Secure CommunicationsOverview of Procedures to Set Up Secure Communications Script to Use Where Used End Product $ IDSgenAdminKeys install $ IDSgenAgentCerts Transport the Certiﬁcates TIP $ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadmin Install the Keys on Each Host Step Conﬁguring a Multihomed Agent System $ nslookup large2 Example To conﬁgure a multihomed administration system Conﬁguring a Multihomed Administration System Edit the agent conﬁguration ﬁle for example To conﬁgure a loopback system Conﬁguring a Loopback System Working with Firewalls Conﬁguring PortsWorking with NIS Select Kernel Conﬁguration Select Conﬁgurable Parameters Enabling Large Numbers of AgentsEnabling Over 23 Agents Thread Limits To change the value of maxthreadproc To view and change the value of tcpconnrequestmax Enabling Over 20 Inbound Requests Files Permissions Accessing ManpagesRestricting Permissions Runtime File Permissions Accessing Manpages Chapter Getting Started Getting Started System Manager Agents Starting HP-UX Hids for the First Time Set up hosts and run schedules See , Host Manager Screen, on Network Node Operations ScreensSchedule Manager Host Manager Sorting Entries Basic Screen ActionsSelecting Entries in Lists Searching Entries Basic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen To stop the HP-UX Hids System Manager Starting the HP-UX Hids System ManagerStopping the HP-UX Hids System Manager To start the HP-UX Hids System Manager Status Value Description On the System Manager ScreenStatus Field Values On the System Manager screen Getting the Status of Agent HostsTo get the status of agent hosts To resynchronize agent hosts Resynchronizing Agent Hosts Choose the Actions Activate Schedule menu item Activating a Schedule on Agent HostsTo activate a surveillance schedule on agent hosts To stop a surveillance schedule on agent hosts Stopping Schedules on Agent Hosts To start the agent Starting HP-UX Hids Agents To halt the agent locally on the agent host Halting HP-UX Hids AgentsTo halt agents remotely from the System Manager To go to the Schedule Manager screen Accessing Other ScreensGo to Schedule Manager Screen Go to Host Manager Screen Return to System Manager Screen Go to Network Node ScreenGo to Preferences Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager To create a surveillance schedule Creating a Surveillance Schedule To close the Schedule Manager screen Displaying the Schedule Manager ScreenClosing the Schedule Manager Screen To display the Schedule Manager screen To create a new surveillance schedule Conﬁguring Surveillance SchedulesCreating a New Surveillance Schedule Copying a Surveillance Schedule To modify a surveillance schedule Modifying a Surveillance Schedule Choose File Save Selected Schedule As Renaming a Surveillance ScheduleTo rename a surveillance schedule To delete a surveillance schedule Deleting a Surveillance ScheduleUndoing and Redoing Changes Choose File Save Selected Schedule Saving a Surveillance ScheduleTo save a surveillance schedule To create a new surveillance group Conﬁguring Surveillance GroupsCreating a New Surveillance Group Copying a Surveillance Group To modify a surveillance group Modifying a Surveillance Group To rename a surveillance group Renaming a Surveillance GroupRename Surveillance Group Dialog To delete a surveillance group Deleting a Surveillance GroupSaving a Surveillance Group To change the value of a property in a detection template Conﬁguring Detection TemplatesModifying a Property Value In a Template To add a new value Edit List Dialog 11Edit Dialog Edit Suggested Best Practices Some Template Conﬁguration Guidelines Setting Surveillance Schedule Timetables To specify when a schedule will run Specifying When a Schedule Will Run Canceling Changes See Saving a Surveillance Schedule on To view the source of a surveillance schedule Viewing Surveillance Schedule DetailsViewing the Source of a Surveillance Schedule Refreshing the Details Display To clear the display Clearing the Details DisplaySaving the Details Display Save Dialog Predeﬁned Surveillance Schedules Predeﬁned Surveillance Schedules and Groups Predeﬁned Surveillance Schedules Host Manager Screen Host Manager Screen Displaying the Host Manager Screen Managing Hosts Closing the Host Manager Screen To add a new host manually Adding New HostsAdding a New Host Manually Add Host Dialog IP Address Host NameAddress ﬁeld To add new hosts from /etc/hosts Adding New Hosts from /etc/hostsName ﬁeld Host Name and IP Address To add new hosts from a ﬁle Adding New Hosts from a FileRules for Host Lists Files Open Dialog To modify a host entry Modifying a Host To delete a host entry Deleting Hosts Enabling and Disabling Hosts To enable or disable an agent host for monitoring Add, modify or delete tags To add a tag Managing Tags To delete a tag To edit a tag Saving the Host List in a Different File Maintaining Host FilesSaving the Host List in the Current File Using Multiple Host Files Using an Alternate Host List File Maintaining Host Files Chapter Network Node Screen 100 To display the Network Node screen for an agent host Network Node ScreenOpening a Network Node Screen Closing a Network Node Screen 102 Alerts Tab HP-UX Hids Alerts What They Mean, What to Do 104 Errors TabHP-UX Hids Errors What They Mean, What to Do Simple Version General OperationsSelecting Entries Selecting with the Mouse Find Dialog Searching for the Next Unseen EntrySearching for a String To search again To delete one or more alerts or errorsDeleting an Entry Marking Entries as Seen or Unseen 108 Unseen Saving a New Log File Set Saving a Log File SetNetwork Node screen from the System Manager screen Saving the Current Log File Set Example Saving the File Set over Another File Set Save Dialog BoxPress Ctrl-A Example Creating a New File Set Open Dialog Box Opening a Log File SetLog File Rotation 112 Preferences Screen 114 Preferences Screen 116 Option Default DescriptionGeneral Preferences To choosing Actions Status Poll from the System Manager Actions Resync from the System Manager screen 118 Column Name Default DescriptionBrowser Preferences Alert Events Preferences Column Default Description Name Error Events Preferences 120 System Manager Subtab Templates and Alerts Templates AlertsLimitations Property Types Attack Detected Alert Alert Severity Detection Template Alert SummaryTable A-1 Detection Templates 124 Appendix a 125 126 Unix Regular ExpressionsExamples Appendix a 127 128 Limitations Type I Pathnames to Not Monitor Template Property Types 130 Type II Pathnames/Programs Pairs Type IV UID Pairs Type III UIDs 132 Type V Network TripletsType VI Time Strings Type Viii Scalars Type VII Flags 134 Buffer Overﬂow Template Table A-3 Execute on Stack Alert Properties Name Type Default ValueExecute on Stack Table A-2 Template Properties 136 Table A-4 Unusual Argument Length Alert Properties Unusual Argument Length 138 Argument with Non-printable Character Appendix a 139 140 Table A-6 Template Properties Race Condition Template 142 File Reference ModiﬁcationTable A-7 File Reference Modiﬁcation Alert Properties Appendix a 143 144 Privileged Setuid Script ExecutedTable A-8 Setuid Script Executed Alert Properties Appendix a 145 146 Modiﬁcation of Files/Directories TemplateTable A-9 Template Properties Properties 148 Table A-10 File Being Modiﬁed Alert Properties File Being Modiﬁed 150 Appendix a 151 152 Changes to Log File TemplateTable A-11 Template Properties Table A-12 Append-Only File Being Modiﬁed Alert Properties Append-Only File Being Modiﬁed 154 By this template Creation of Setuid File TemplateTable A-13 Template Properties Alerts generated 156 Setuid File CreatedTable A-14 Setuid File Created Alert Properties Appendix a 157 158 Creation of World-Writable File TemplateTable A-15 Template Properties Table A-16 World-writable File Created Alert Properties World-Writable File Created 160 Appendix a 161 162 Table A-17 Template Properties Modiﬁcation of Another User’s File Template 164 Non-owned File Being ModiﬁedTable A-18 Non-owned File Being Modiﬁed Alert Properties Appendix a 165 Limitations 166 Table A-19 Template Properties Login/Logout Template 168 Table A-20 Login/Logout Alert Properties Login/Logout 170 Successful su DetectedTable A-21 Successful su Detected Alert Properties Appendix a 171 172 Template How this template Repeated Failed Logins TemplateTable A-22 Template Properties 174 Failed Login AttemptsTable A-23 Failed Login Attempts Alert Properties Appendix a 175 Table A-25 Repeated Failed Su Attempts Alert Properties Repeated Failed su Commands TemplateRepeated Failed su Attempts Table A-24 Template Properties Appendix a 177 178 Template Conﬁguration Syntax Appendix a 179 180 Automated Response 182 Response Methods General Guidelines 184 Programming Notes How Automated Response Works in HP-UX HidsAlert Process Security checks 186 Table B-1 Additional Arguments Passed to Response Programs Appendix B 187 188 Table B-3 Environment Variables Set for Response ProgramsName Value Description Appendix B 189 190 Programming GuidelinesWriting Perl vs. Shell Response Scripts Writing Privileged Response Programs Code for scriptA.sh Solution aCode Examples 192 Solution BCode for privA program Code for PrivB program Solution C 194 Code for privC programCode for scriptC.sh script #!/usr/bin/sh Sample Shell Script Alert Responses Sample Response ProgramsSample C Language Program Source Code 196 Forwarding Information Appendix B 197 198 Halting any further attacks Appendix B 199 200 Preservation of evidence Appendix B 201 202 Restoration of a known good state HP OpenView Operations Smart Plug-In OVO Enablement in HP-UX Hids 204 Idsagent Command 206 Synopsis Options Idsagent Command 208 Example Idsadmin Command 210 Synopsis Startup Options Idsadmin Command 212 Commands Agent Conﬁguration File 214 Forcing Active Agent to Reread Conﬁguration File Agent Conﬁguration File 216 Name Default ValueGlobal Conﬁguration Table E-1 Global Conﬁguration Variables DSP idskernDSP Parameters Data Source Process ConﬁgurationKernel Audit Data DSP Table E-2 218 Correlator Conﬁguration Variables Remote Communication ConﬁgurationTable E-3 220 Messages 222 Agent Messages Idsagent failed to start group Idsagent failed to reopen stderr in append modeIdsagent internal error in handling signature groups Idsagent failed to initialize conﬁguration module Idsagent unable to setup Sigsegv signal handler Idsagent unable to setup Sigchld signal handlerIdsagent unable to setup Sighup signal handler Idsagent unable to setup signal handler Idsagent failed to execute correlator corr Idsagent error trying to shutdown a processIdsagent failed to allocate memory Idsagent failed to create schedule path ﬁlename Idsagent failed to initialize schedule in crontab Idsagent internal error no correlator in PMStartProcessesIdsagent internal error occurred in PMStopGroup Idsagent failed to initialize schedule Idsagent out of process table space Idsagent not enough disk space to create scheduleIdsagent not enough disk space to parse schedule Idsagent not enough disk space to save conﬁg ﬁle Unable to open the response script directory dir Internal errorInternal error unknown state System Manager Messages Invalid Property Value value Property Value Error Exception while opening ﬁle filename File Save ErrorIncomplete or Invalid Entry Data Entry Error Invalid Host State Unable to disable host Select Property to be edited Selection Error No more instances of searchstring found Find ErrorOnly one property may be edited at a time Selection Error Searchstring not found Find Error Select Surveillance Schedule to delete Selection Error Select Surveillance Group Name to delete Selection ErrorSelect Surveillance Group to copy Selection Error Select Surveillance Schedule to copy Selection Error 234 Surveillance Schedule not selected Schedule Selection ErrorFollowing hosts are in an invalid state for this command Unable to Overwrite filename File Save Error Unknown IP Address unable to resolve Host Name Unknown Host unable to resolve IP Address IPaddress 236 Troubleshooting 238 Appendix G 239 240 TroubleshootingAgent and System Manager cannot communicate with each other $ /usr/sbin/kmtune -q enableidds Agent does not start on system boot 242 Agent needs further troubleshootingTo clean up the IDS message queues Agent host appears to hang and/or you see message disk full Alerts are not being displayed in the alert browser Agent does not start after installationAgents appear to be stuck in polling status Alert date/time sort seems inconsistent 244 Idsadmin needs installed agent certiﬁcatesBuffer overﬂow triggers false positives Duplicate alerts appear in System Manager IDSgenAdminKeys or idsgui quits early IDScheckInstall fails with a kmtune error 246 Large ﬁles in /var/opt/idsLog ﬁles are ﬁlling up No Agent Available Schedule Manager timetable screen appears to hang SSH does not perform a clean exit after idsgent is started 248 System Manager appears to hangSystem Manager does not start after idsgui is started IPFilter rules for HP-UX Hids Using HP-UX Hids with IPFilter and SecureShellUnknown program and arguments in certain alert messages 250 How to allow the SecureShell daemon to forward X11 trafﬁc Appendix G 251 252 Appendix H 253 HP Software License 254 OpenSSL License Appendix H 255 Original SSLeay License 256 HP Software License Terms 258