10 Installing the Agent On UNIX Platforms

This section outlines the steps to install an agent on Unix. There are also sections later in this book that relate to specific requirements for certain operating systems. Please be sure to review those sections as well.

UNIX Agent Installation

The following sections describe the process for installing the UNIX agents in console or graphical mode. Some operating systems have specific steps you must follow in addition to the standard Unix installation steps.

Installing the Agent

At any point during a console-based installation process, to return to the previous prompt, type Back.

To install the agents, you must log in as root. Later when the agent is running, it can run as any user as long as specific steps are followed as discussed later in this chapter.

1. Copy the agent-x.bin file from the Configuration Change Console Installation media where -x will indicate which operating system the agent installer is for.

   Ensure that the file is executable by using the following command where <agent executable> is the installation file for the specific platform:

   chmod +x <agent executable>

   For example: chmod +x agent-linux-32bit.bin

2. From the Configuration Change Console Installation media, type the following command where <agent executable> is the installation file for the specific platform listed in the table above.

   To run the installer from the command line:

   ./<agent executable> -i console

   To run the installer under X-windows with a graphics-based installer:

   ./<agentexecutable>

3. An introduction screen appears. Press Enter to proceed.

4. You will next be prompted for the agent installation directory.

5. Press Enter to accept the default installation directory or enter your own path for installation.

6. Enter the Configuration Change Console server URL. The URL has the format t3s://hostname:port where hostname is the host the primary server is located at if using a non-clustered environment. If you are using a clustered environment, use t3s://hostname1:port1,hostname2:port2,hostname3:port3, for example, where you put host name and port for each Messaging Broker server. Click Next.

7. The next section asks if you want to automatically start the agent after installation or not. To automatically start the agent after the installation, press Enter. If you do not want the agent to start automatically, enter 2. Press Enter. You will need to start the agent manually if you do not set it to start automatically. Instructions for starting the agent using /etc/init.d/arprobe are discussed later in this chapter.

8. You will be asked for an administrator username (the default is administrator) and password for the Configuration Change Console Server. This is used to verify that the person installing the agent is authorized to do so. This username/password combination is only used at agent install time and the user can either be disabled or have the password changed after agent install without any issues.

9. Next, you will be asked whether your server has auditing features enabled or not. The auditing requirements are different for each operating system. For Linux it means that you have the required kernel files available so that the kernel module can be compiled. For Solaris, it means you have the Solaris BSM installed and configured for the agent's use. If you choose no for this question, you will not be monitoring file changes in real time, but will be using the polling file monitoring capability. It is recommended that you read the requirements for each specific operating system to enable the appropriate auditing settings and then answer yes to this question when installing the agent.

10. The Summary screen will display. Verify that the install folder is correct and then click Install to proceed with the installation.

11. Click Done when the Installation Complete screen appears to exit the installer.

Starting and Stopping the Agent

The agent should start automatically if you chose to have it start during installation. In the event that it does not, from the command prompt type the following commands:

cd /etc/init.d/

./arprobe start

To stop the agent, type: ./arprobe stop

Note:

You must be the root user to start the agent unless you follow the steps below on setting up the agent to operate as a non-root user.

For each Unix operating system the service is set to start up with the operating system if the agent was installed. You can find the startup and kill script links under the appropriate rcX.d directory. There is no manual maintenance needed on these unless you want to change the startup/shutdown behavior at operating system startup/shutdown time.

Uninstalling the Agent

You must log in as root to uninstall the agent. The manual steps to uninstall the agent are:

From the command prompt, go to the agent uninstaller directory. For example, if you installed as root, you would type:

cd /root/oracle/ConfigurationChangeConsoleAgent/UninstallerData

Run the uninstaller by typing:

./Uninstall_Configuration_Change_Console_Agent

Running Agents As a Non-Root User

By default, agents are expected to run as the root user on Unix. You can configure the agents however after installation to run as a non-root user following the steps outlined below.

File Permissions

The first thing that needs to be changed are the file ownership for the agent files. The installer sets all files and directories for the agent to be owned by root (the user doing the install) and permissions are turned off completely for GROUP and OTHER USERS. If another user should see these files, then ownership of the files and directories must be changed from root to the desired owning user. The following is an example of how you change this, where you replace newuser with the login name of the user that will own the agent and change {agent_install_dir} to the full path of where the agent is installed:

chown -R newuser {agent_install_dir}

It is not recommended that you add permissions for the GROUP or OTHER USERS to see the files as they have secure information in these directories.

Set Binaries to Run

Two binaries that come with the agent need elevated privileges to run to collect needed data. To allow this, do the following:

1. Stop the agent if it is running

2. Change your directory to {agent_install_dir}/bin where you installed the agent.

3. Run the following commands:

   chown root filewatcha

   chown root filewatchp

   chmod a+s filewatcha

   chmod a+s filewatchp

4. Edit the file /etc/rc.d/init.d/arprobe and replace every instance of $PROBE_HOME/bin/probe with sudo -u newuser "$PROBE_HOME/bin/probe".

5. Start the agent. At this point, the agent should be running as user newuser.

Reauthorizing the Agent With the Server

If for some reason the authorization credentials that you supply at agent installation time are incorrect, you can manually force the authorization to run again. You may notice that authorization might have failed because the agent never registered with the server by looking at the Administration > Devices > Devices screen on the Server.

To force reauthorization, follow these steps:

1. Open a shell window

2. Change your directory to {agent_install_dir}/bin

3. Run the script: resetauth.sh

4. Answer the prompts providing a user name and password for an administrator-role user in the Configuration Change Console Server

For security reasons, if authentication fails, no message is sent back to the agent indicating this failure.

Log Files

The product logs are located in the agent installation directory under the logs directory. For example, /root/oracle/ConfigurationChangeConsoleAgent/logs. Here is a list of some of the most common logs that you may need to refer to resolve issues:

Probe.log -- General product log for warnings or critical messages

Probe_err.log -- Only the errors that have caused a problem on the agent

Linux Agent Installation

The following sections describe the procedure for installing the Linux agent.

Linux Agent Installation Prerequisites

Before installing the Linux Agent you must have the Kernel Development package installed for the exact same kernel version of Linux. You can check this by first performing a uname -a and recording the kernel version (such as 2.4.21-37.0.0.4.ELhugemem). Next, look at the RPM registry to make sure the kernel-level package for this specific version is installed. It is very important that the development package version matches the version number exactly. Failure to match the version will cause the compiled kernel module to fail when trying to insert the module into the kernel.

You must also ensure that the version of gcc being used matches that with which the kernel was built. You can look at /proc/version to see what gcc version the kernel was built with and then run gcc -version to see what version of gcc is being used. These two versions should match.

For agent operation, the file /boot/System.map-{version} must also exist where {version} must match the kernel version you see when you run the uname -a command. This file contains system symbols that are needed to decode the kernel symbols we are monitoring for real-time changes. Without this file, real-time file monitoring will not function. This file is standard on all default Linux installations.

When the Linux agent is installed, a script will run to check for all of these dependencies and will inform you if there are missing requirements. The installation will continue to work, but the real-time file monitoring will not function until the module is built manually. The instructions for recovering from this is detailed below in the section "Kernel Module Compilation Issues".

If you make changes in the future to the version of the Linux kernel version, you should recompile the loadable kernel module to ensure it always matches the version of your server kernel. Instructions on how to recompile the module are in the section "Kernel Module Compilation Issues" below.

Installing the Agent

To install the Linux Agent, follow these steps. Note that all standard and recent packages must be installed before installing the agent.

1. Open a terminal window on the managed server. You must be logged in as root.

2. Insert the Configuration Change Console Installation media into your CDROM drive. Mount the disk.

3. At the prompt, copy the agent-linux-x86-32bit.bin file or agent-linux-x86-64bit.bin from the CD to the /tmp directory depending on which type of processor your server has.

4. Start the installer by entering either of the following commands depending on the processor type your server has at the prompt:

   /tmp/agent-linux-x86-32bit.bin -i console

   /tmp/agent-linux-x86-64bit.bin -i console

   If you want to launch the graphical installer under X-Windows, leave off the -i console part of the command.

5. One additional step that occurs towards the end of installation is the compilation of a loadable kernel module that is for real time file monitoring. You may notice a status message indicating whether this succeeded or not. If there is a failure, or you find that there is an error in logs/FileRunning.log indicating that the real time file monitoring module cannot start, see the section Kernel Module Compilation Issues.

6. After installation, delete the installation files in the tmp directory with the command:

   rm -i agent-lin*

Kernel Module Compilation Issues

There are three ways that may indicate that there was a problem in loading the Linux kernel module. At installation time of the Linux agent, you may have received an error message towards the end of installation that compilation of the kernel module failed.Alternatively, you may have noticed that you do not receive real-time file changes on the Configuration Change Console Server UI for file changes that you know should occur.Finally, when examining the FileRunning.log file under {agent install directory}/logs, you may see errors indicating that the kernel module could not be loaded or used for various reasons.If you encounter any of these issues, then most likely there was a problem with compiling or inserting the Linux kernel module at run time.

You can confirm if the auditmodule was loaded properly by running the following command.

grep -i auditmodule /proc/modules

If you do not get any output, then the auditmodule is not loaded and the agent will not be able to do real time file monitoring.

You can attempt to force the audit module to rebuild by following these steps:

1. Open a shell and change to the directory where you installed the agent, for example, /root/oracle/ConfigurationChangeConsoleAgent/bin

2. At the prompt enter ./compmod.sh

3. Look at the make.log and build.log file under {agent install directory}/logs to see if there are any errors that might be resolvable

4. If there are no errors when executing compmod.sh, check the bin directory and see if a file auditmodule*.ko was created after execution of compmod.sh. If there is, you can attempt to manually load the module to see if there are any errors. Use the following command where you replace {audit module file name} with the entire name of the .ko file that was created from compmod.sh:

   insmod {audit module file name}

   If you have no errors during this, you can check the module list again by using the grep command above. If the audit module now appears, then the file monitoring capability should work once you restart the agent.

If the module still is not able to load, and if you need to contact Oracle support about the issue, please be sure to include the following information with your support ticket:Output of the command: uname -a

Output of the command: grep –i /proc/modules

Output of the command: rpm –q –a |grep –i kernel-devel

The make.log and build.log files from the {agent install dir}/logs directory

The file {agent install dir}/logs/FileRunning.log

This information will help Oracle to determine if the agent's real time file monitoring audit module can be built on your environment.If you patch the kernel of your OS, you need to recompile the auditmodule kernel module using the steps outlined earlier to match the new kernel version. You will also need to install the kernel-devel package that matches the same version as the patched kernel

Solaris Agent Installation

Use the following steps to install the Solaris agent:

1. Log in to the Solaris server as the root user.

2. From the Configuration Change Console Installation media, copy the agent-solaris-sparc.bin file to the /tmp directory and make sure the installer is executable by typing:

   chmod +x agent-solaris-sparc.bin

3. For the remainder of the installation instructions, refer to the UNIX Agent Installation: Console Mode section, starting with Step 2.

Starting and Stopping the Agent

The agent should start automatically. In the event that it does not, from the command prompt, type the following commands:

cd /etc/init.d/

./arprobe start

Note:

To stop the probe, type: ./arprobe stop

Administrating Auditing on Solaris

The Solaris Audit is part of the Solaris TM SHIELD Basic Security Model (BSM) which provides additional security features. Auditing allows system administrators to monitor events and to detect user account logins and logouts as well as file changes.

If auditing is already enabled on the server, simply verify that the audit system configuration matches the configurations detailed below.

Configuring Solaris Auditing

The audit file can be configured to include specific events. The /etc/security/audit_control file controls which events will be included in the audit file. This section summarizes the configuration; for further details, refer to the Sun Product Online Documentation site.

For FileRunning/Userrunning, the flags line in the file /etc/security/audit_control should be set as follows:

flags: +fw,+fc,+fd,+lo

This configuration enables success/fail auditing for file writes (fw), file creates (fc), file deletes (fd), and login/logout events (lo); where '+' means to only log successful events. The login/logout events are not used by FileRunning but will be used by UserRunning. FileRunning filters the events by throwing away failed events and files that do not match the include/exclude criteria. However, if you are interested in logging the failed events as well, remove the "+" sign before each event in the flag.

Audit Logs and Disk Space

The audit_control file also has entries to control where the audit logs are stored, and the maximum amount of disk space used by the audit system. The minimum requirement for FileRunning is approximately 5 minutes worth of data stored on the hard drive or the configured reporting interval time.

Auditing Users

The audit_user file controls which users are being audited. The settings in this file are for specific users and override the settings in the audit_control file, which applies to all users.

Managing Audit Files

FileRunning only reads the audit logs; it does not delete the logs. This might flood the system with log files and prevent it from logging additional events. To manage and delete old audit events while maintaining minimum FileRunnning/UserRunning requirements, do the following:

1. The auditing policy can be set to automatically drop new events (keeping only a count of the dropped events) rather than suspending all processes by running the following command:

   # auditconfig -setpolicy cnt

2. Run the following command to force the audit deamon to close the current audit log file and use a new log file.

   /usr/sbin/audit -s

3. Run the following command to merge all existing closed auditing log files into a single file with an extension of .trash and then delete the files.

   /usr/sbin/auditreduce -D trash

4. Run the crontab command to periodically run the commands in Step 2 and Step 3 above. The frequency at which these two commands are run can be adjusted based on the anticipated event volume and the amount of disk space allocated to auditing. The only requirement is that the time between the audit -s command and the auditreduce - D trash command is at least 2 minutes times the reporting interval for FileRunning and UserRunning.

HP-UX 11.23 Agent Installation

This section describes the procedure for installing the agent on an HP-UX server. The Configuration Change Console Agent supports HP-UX 11.23 on the 32-bit or 64-bit PA-RISC and IA64 processor. Please read the prerequisites carefully to obtain the necessary software and patches before you begin the installation. Instructions for using the HPUX 32-bit PA-RISC agent on HPUX 11.11 are in the next section.

The HP-UX agent collects and reports data related to file and process changes, system resource utilization, and server configuration. By default, agents on the HP-UX platform do not report the users associated with file changes unless the Intrusion Detection System (HIDS) application is installed on the system. HIDS provides an auditing feature that logs file changes and the users associated with these reported changes.

The Configuration Change Console agent Supports HIDS 2.x, 3.x and 4.x. We recommend you to install the latest 4.x version.

This document provides basic instructions from the HIDS section of the HP-UX HIDS System Administrator's Guide.

Prerequisites

This section describes the prerequisites for installing the HP-UX agent, including all required patches.

Table 10-1 Hardware Prerequisites

Operating System	HPUX 11i v2
CPU	At least a PA RISC 1.1

HIDS Patches

Each operating system may require specific patches to be installed. Additionally, other required patches may be reported by the HIDS 2.2 CheckInstall script. The patches and software can be downloaded from the HP website

Table 10-2 HIDS Patches

Operating System	HP-UX 11i v2
Patch	PHKL_34798s700_800 11.23 HIDS cumulative patch

HIDS Overview

HIDS auditing features works with the Configuration Change Console agent to provide a list of usernames associated with unauthorized access to files as well as file events such as the addition, creation, modification, and deletion of files.

Agents on the HP-UX platform do not report the users associated with any file changes unless the Intrusion Detection System (HIDS) application is installed and configured on the system.

HIDS Preinstallation

The HIDS application must be installed before the agent is installed. The HIDS application requires patches specific to each supported HP-UX version. For basic prerequisites, see those documented in the Prerequisites section above.

The directory structure for the HIDS application is as follows:

• IDS application files: /opt/ids

• Configuration files: /etc/opt/ids

• Log files: /var/opt/ids

Refer to the HIDS documentation, Host Intrusion System from HP.com for installation and configuration instructions for your HP-UX version.

HP-UX 11i IDS Installation

Before proceeding with the installation, verify that you have all required patches installed on the system, as documented in the Prerequisites section above. All references to hostname must be replaced by the actual server hostname as provided by your System Administrator.

Follow these steps:

1. From the command prompt, login as root

2. Type the following commands:

   mkdir /var/depot <Enter>

   mkdir /var/depot/ids_11.i_admin+agent <Enter>

   mkdir /var/tmp/idspatch_11.i <Enter>

   mkdir /var/tmp/idsprod <Enter>

3. Copy the following patch into the /idspatch_11.i directory:

   PHKL_34798 s700_800 11.23 HIDS cumulative patch (for HPUX 11i v2)

4. Unpack the patch file sets into their separate depots:

   sh -c 'for i in /var/tmp/idspatch_11.i/PH*; do sh $i; done'

5. Copy the patch depots into the ids_11.i_admin+agent depot by typing the following command in one line:

   sh -c 'for i in /var/tmp/idspatch_11.i/PH*.depot; do swcopy -s $i \* @ /var/depot/ids_11.i_admin+agent; done'

6. Download the 11.i IDS product depot into the following directory:

   var/tmp/idsprod/J5083AA_11.i.depot

7. Copy the entire 11.i product into the ids_11.i_admin+agent depot:

   swcopy -s /var/tmp/idsprod/J5083AA_11.i.depot \* \@ /var/depot/ids_11.i_admin+agent

8. Install the IDS software by typing the following command. Note that you must reboot the system after the installation.

   # swinstall -x autoreboot=true -s hostname:/var/depot/ids_11.i_admin+agent \*

   Note:

   To start IDS, run the command: /sbin/init.d/idsagent start

   To stop IDS, run the command: /sbin/init.d/idsagent stop

Post Installation

This section documents the required procedural steps to complete after having installed the HIDS application on the server:

1. After the system has rebooted, run the IDS_checkInstall script to verify the HIDS application installation.

   /opt/ids/bin/IDS_checkInstall

2. Log in as user ids and generate the administrator keys by typing the following at the command prompt:

   ./IDS_genAdminKeys install

3. Generate the keys for the agent by typing the following at the command prompt:

   ./IDS_genAgentCerts

4. When prompted for which hosts the keys will be generated, type the hostname:

   The key file will be located in: /var/opt/ids/tmp/hostname.tar.Z

5. Install the agent key by typing the following command:

   ./IDS_importAgentKeys /var/opt/ids/tmp/hostname.tar.Z hostname

6. Start the agent program by typing the following command:

   /opt/ids/bin/idsagent

HIDS Configuration

HIDS log files increase rapidly; however, the Configuration Change Console agent keeps log files truncated to save disk space. To ensure that the log files do not increase in file size while the agent is not running, run a script to periodically truncate the HIDS log files.

A sample script to manage your log files is provided below. You may want to customize the script according to your environment. This script should be run from the crontab and the trunclog.sh should be an executable file.

Sample contents of the trunclog.sh file:

#!/bin/sh
filesize=`/bin/ls -l /var/opt/ids/alert.log | /bin/awk '{print $5}'`
if [ "$filesize"  -gt "5000000" ] 
then
  rm /var/opt/ids/alert.log
fi
 
rm /var/opt/ids/ids_1*

Sample entry to configure the crontab to run every hour where the bold letters are replaced by the actual path of the trunclog.sh file:

0 * * * * /<location of script>/trunclog.sh

.

Installing the Agent

Refer to the UNIX Agent Installation section earlier in this chapter for installation instructions.

To start and stop the service, run the following commands from the command line. For HPUX, the /etc/init.d folder is not used as described in the general Unix section above.

/usr/sbin/arprobe start

/usr/sbin/arprobe stop

AIX Agent Installation

The following section describes the installation process for installing AIX agents. The current agent only supports AIX5.3 since the Java JVM1.5 is not available for earlier versions of AIX.

Installation Prerequisites

To improve system performance, install the AIX 5.3 5300-08 Service Pack 5 or higher before installing the AIX 5.3 agent. The maintenance package is available from the IBM.

Installing the Agent

Refer to the UNIX Agent Installation: Console Mode section for instructions on installing, configuring and uninstalling the AIX agent.

To start and stop the service, run the following commands from the command line. For AIX, the /etc/init.d folder is not used as described in the general Unix section above.

/usr/sbin/arprobe start

/usr/sbin/arprobe stop

Administering AIX Auditing

The AIX auditing subsystem allows an administrator to record security-relevant information, such as User Logins, Logouts, and file changes, for analysis against existing security policies and detection of security violations.

Setting up Auditing involves modification of the existing auditing configuration files. To set up auditing:

1. Log into the AIX machine as the root user.

2. Open a terminal window and change directory to /etc/security/audit

3. Open the config file in vi.

4. Locate the following sections, and update or add the listed values:

   start:
           binmode = off
           streammode = on
   …
   classes:
   …
           filewatch = PROC_Create,PROC_Delete,FILE_Open,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Fchmod,FILE_Fchown,FS_Chdir,FS_Fchdir,FS_Chroot,FS_Mkdir,FS_Rmdir,FILE_Symlink,FILE_Dupfd,FILE_Mknod,FILE_Utimes
    
   users: 
           root = filewatch
           default = filewatch
   

   Note:

   In this case default refers to all users that are not root. Further note that the last line of the config file should be a blank line.

5. Save your modifications and exit vi.

6. In the same directory (/etc/security/audit/) open the file streamcmds in vi.

7. Clear all text from the file. The default configuration for this file is not necessary, as the FileRunning agent module will operate as a direct audit reader. Clearing the file helps to reduce CPU usage and improve overall auditing performance.

8. Save the file and exit vi.

9. At the terminal prompt, enter the following command to initialize Auditing at system startup:

   mkitab "audit:2:once:/usr/sbin/audit start"

HP-UX 11.11 Agent Installation

This section describes the procedure for installing the agent on an HP-UX 11.11 server on the 32-bit or 64-bit PA-RISC processor. Please read the prerequisites carefully to obtain the necessary software and patches before you begin the installation.

The HP-UX agent collects and reports data related to file and process changes, system resource utilization, and server configuration. By default, agents on the HP-UX platform do not report the users associated with file changes unless the Intrusion Detection System (HIDS) application is installed on the system. HIDS provides an auditing feature that logs file changes and the users associated with these reported changes.

The Configuration Change Console agent Supports HIDS 2.x, 3.x and 4.x. Oracle recommends you to install the latest 4.x version.

This document provides basic instructions from the HIDS section of the HP-UX HIDS System Administrator's Guide.

Prerequisites

This section describes the prerequisites for installing the HP-UX agent, including all required patches.

HIDS Patches

Each operating system may require specific patches to be installed. Additionally, other required patches may be reported by the HIDS CheckInstall script. The patches and software can be downloaded from the HP website.

HIDS Overview

HIDS auditing features work with the Configuration Change Console agent to provide a list of usernames associated with unauthorized access to files as well as file events such as the addition, creation, modification, and deletion of files. Agents on the HP-UX platform do not report the users associated with any file changes unless the Intrusion Detection System (HIDS) application is installed and configured on the system.

HIDS Preinstallation

The HIDS application must be installed before the agent is installed. The HIDS application requires patches specific to each supported HP-UX version. For basic prerequisites, see those documented in the Prerequisites section above. The directory structure for the HIDS application is as follows:

• IDS application files: /opt/ids

• Configuration files: /etc/opt/ids

• Log files: /var/opt/ids

Refer to the HIDS documentation, Host Intrusion System from HP.com for installation and configuration instructions for your HP-UX version.

Table 10-3 Hardware Prerequisites

Type	Value
Operating System	HP-UX 11i v1
CPU	At least a PA RISC 1.1

Table 10-4 HIDS Patches

Type	Value
Operating System	HP-UX 11i v1
Patch	PHSS_26560

Table 10-5 HP Java Runtime Patches

Patch	Description
PHKL_25367	Solves kernel thread priority inversion problems.
PHCO_25452	Solves libc problems that cause degradation in Java applications.
PHKL_25614	Solves several memory and thread problems that affect Java performance.
PHKL_25728	Solves hangs in Java apps with large numbers of threads.
PHKL_25729	Solves signal and thread problems that prevent thread cancellation.
PHKL_25840	Solves severe thread performance problems in Java apps with large numbers of threads.
PHKL_25871	Supports Solaris-like semantics for concurrent close (kernel_dscrpt).
PHKL_27091	Solves thread problems that degrade Java apps with large numbers of threads.
PHKL_28489	Solves kernel trap handler problem causing hang after fork().
PHNE_29887	Supports Solaris-like semantics for concurrent close (transport).
PHCO_29960	Solves pthread synchronization that causes hangs. This patch MUST be installed for JRE version 1.3.1.11 or later.
PHSS_30049	Solves problem with dld while loading native libraries for class ServerSocket.

Table 10-6 HIDS Patches

Operating System	HP-UX 11iv1
Patch	PHKL_26074 s700_800 11.11 libaudit.a cumulative patch

HP-UX 11i, v1 IDS Installation

Before proceeding with the installation, verify that you have all required patches installed on the system as documented in the Prerequisites section above. All references to hostname must be replaced by the actual server hostname as provided by your System Administrator.

Follow these steps:

1. From the command prompt, login as root

2. Type the following commands:

   mkdir /var/depot <Enter>

   mkdir /var/depot/ids_11.i_admin+agent <Enter>

   mkdir /var/tmp/idspatch_11.i <Enter>

   mkdir /var/tmp/idsprod <Enter>

3. Copy the following patch into the /idspatch_11.i directory:

   PHKL_26074 s700_800 11.11 libaudit.a cumulative patch

   Note:

   HP-UX 11i v1.6 and 11i v2 do not need this patch.

4. Unpack the patch file sets into their separate depots:

   sh -c 'for i in /var/tmp/idspatch_11.i/PH*; do sh $i; done'

5. Copy the patch depots into the ids_11.i_admin+agent depot by typing the following command in one line:

   sh -c 'for i in /var/tmp/idspatch_11.i/PH*.depot; do swcopy -s $i \* @ /var/depot/ids_11.i_admin+agent; done'

6. Download the 11.i IDS product depot into the following directory:

   var/tmp/idsprod/J5083AA_11.i.depot

7. Copy the entire 11.i product into the ids_11.i_admin+agent depot:

   swcopy -s /var/tmp/idsprod/J5083AA_11.i.depot \* \@/var/depot/ids_11.i_admin+agent

8. Install the IDS software by typing the following command. Note that you must reboot the system after the installation.

   # swinstall -x autoreboot=true -s hostname:/var/depot/ids_11.i_admin+agent \*

Note:

To start IDS, run the command: /sbin/init.d/idsagent start

To stop IDS, run the command: /sbin/init.d/idsagent stop

Post Installation

This section documents the required procedural steps to complete after having installed the HIDS application on the server:

1. After the system has rebooted, run the IDS_checkInstall script to verify the HIDS application installation.

   /opt/ids/bin/IDS_checkInstall

2. Log in as user ids and generate the administrator keys by typing the following at the command prompt:

   ./IDS_genAdminKeys install

3. Generate the keys for the agent by typing the following at the command prompt:

   ./IDS_genAgentCerts

4. When prompted for which hosts the keys will be generated, type the hostname:

   The key file will be located in: /var/opt/ids/tmp/hostname.tar.Z

5. Install the agent key by typing the following command:

   ./IDS_importAgentKeys /var/opt/ids/tmp/hostname.tar.Z hostname

6. Start the agent program by typing the following command:

   /opt/ids/bin/idsagent

HIDS Configuration

HIDS log files increase rapidly; however, the Configuration Change Console agent keeps log files truncated to save disk space. To ensure that the log files do not increase in file size while the agent is not running, run a script to periodically truncate the HIDS log files.

A sample script to manage your log files is provided below. You may want to customize the script according to your environment. This script should be run from the crontab and the trunclog.sh file should be an executable file.

Sample contents of the trunclog.sh file:

#!/bin/sh
filesize=`/bin/ls -l /var/opt/ids/alert.log | /bin/awk '{print $5}'`
if [ "$filesize" -gt "5000000" ]
then
rm /var/opt/ids/alert.log
fi
rm /var/opt/ids/ids_1*
Sample entry to configure the crontab to run every hour:
 
0 * * * * /<location of script>/trunclog.sh
.

Installing the Agent

Refer to the UNIX Agent Installation section earlier in this chapter for installation instructions.

To start and stop the service, run the following commands from the command line. For HPUX, the /etc/init.d folder is not used as described in the general Unix section above.

/usr/sbin/arprobe start

/usr/sbin/arprobe stop