POLYCENTER Security Intrusion Detector for SunOS, Version 1.0
jtruitt@dw3f.ess.harris.com
Fri, 05 Aug 94 09:44:23 -0400
Software
Product
Description
___________________________________________________________________
PRODUCT NAME: POLYCENTER Security Intrusion SPD 43.09.00
Detector for SunOS, Version 1.0
DESCRIPTION
POLYCENTER Security Intrusion Detector (ID) for SunOS is a real-time
security monitoring application for the SunOS operating system. It
performs knowledge-based analysis of the output of the audit subsystem
to recognize and respond to security-relevant activity. Violations such
as attempted logins, unauthorized access to files, illegal setuid pro-
grams, and unauthorized audit modifications are automatically detected
and acted upon. This frees the system or security manager to tackle
more important end-user problems.
Most security breaches involve a series of actions. Instead of look-
ing at each action individually, ID for SunOS looks at the whole
picture. Using a case method modeled after criminal investigations, ID
assigns an agent to monitor the suspect and file evidence to the case.
By analyzing each security event within the context of a case, ID can
distinguish between real threats and innocent behavior. So ID won't
kick legitimate users off the system or trigger false alarms.
POLYCENTER Security ID for SunOS can be configured to take counter-
measures against intruders without human intervention, and security
managers can work from the Manager's Graphical User Interface or from
the UNIX command line.
POLYCENTER Security ID for SunOS does the following:
o Runs on every SPARC Sun system in a network to detect and take
action in real-time on intruders-whether malicious hackers or
inadvertent users.
o Uses a built-in knowledge base to automatically interpret the
audit log data.
DIGITAL May 1993
AE-PU9NA-TE
o Notifies security managers about critical security events occur-
ring on a system, as detected from the SunOS Audit Subsystem.
The following is a list of these events:
- Access-control-event - A failed attempt to modify the protec-
tion of any file or the successful modification of the protec-
tion of a critical file
- Account-auth-event - Successful and unsuccessful password changes
to nonprivileged user accounts
- Audit-subsystem-event - The start or termination of the operating
system's audit facility or changes to the system and user audit
controls
- Breakin-event - Successive login failures
- File-transfer-event - A network file copy
- Logfail-event - A failed login
- Login-event - A successful login
- Obj-access-event - A failed attempt to access any file or
device or the successful modification of a critical file
- Privileged-process-creation-event - Gaining privilege by
running a SUID-to-root program that is not registered as a
critical file
- Process-termination-event - Logouts and any exiting of a
monitored process
- Program-execution-event - Execution of a program that has been
recently modified
o Tailored automatic countermeasures, per a master configuration file
which the security manager sets up at the time of product instal-
lation, can include:
- Sending mail to designated security managers
- Further monitoring the security-relevant actions of the offender
2
- Re-enabling of audit data generation
- Shutting down an offending process
o Filters a large volume of audit data, reducing it to a manageable
set of relevant information for the system manager to review, per-
mitting more frequent archiving of old data which ultimately means
less disk space is used.
o Can be started and operated from Digital's POLYCENTER Framework for
centralized system and network management.
o Produces daily or weekly summaries of security-relevant activity.
o Security-relevant activity of several SunOS and ULTRIX nodes can
be monitored from one designated Manager Interface node, giving the
security manager the ability to control a larger number of machines
with less people.
Additional POLYCENTER Security Software
o POLYCENTER Security Intrusion Detector for OpenVMS (SPD 41.27.00)
o POLYCENTER Security Intrusion Detector for ULTRIX (SPD 43.07.00)
o POLYCENTER Security Compliance Manager for OpenVMS (SPD 26.N1.01)
o POLYCENTER Security Compliance Manager for ULTRIX (SPD 41.26.00)
o POLYCENTER Security Compliance Manager for SunOS (SPD 41.25.00)
o POLYCENTER Security Compliance Manager for HP-UX (SPD 46.12.00)
o POLYCENTER Security Compliance Manager for IBM AIX (SPD 46.11.00)
o POLYCENTER Security Reporting Facility for OpenVMS (SPD 26.N2.01)
3
HARDWARE REQUIREMENTS
Processor and/or hardware configurations as specified in the System
Support Addendum (SSA 43.09.00-x).
SOFTWARE REQUIREMENTS
SunOS Operating System V4.1.1 or V4.1.2
Basic Security Module (BSM)
OpenWindows V2.0 or V3.0
Refer to the System Support Addendum (SSA 43.09.00-x) for availabil-
ity and required versions of prerequisite/optional software.
ORDERING INFORMATION
Software Licenses: QL-NB8A*-**
Software Media: QA-NB8A*-**
Software Documentation: QA-NB8A*-GZ
Software Product Services: QT-NB8A*-**
* Denotes variant fields. For additional information on available
licenses, services, and media, refer to the appropriate price book.
SOFTWARE LICENSING
This software is furnished under the licensing provisions of Digital
Equipment Corporation's Standard Terms and Conditions. For more in-
formation about Digital's licensing terms and policies, contact your
local Digital office.
SOFTWARE PRODUCT SERVICES
In addition to standard Software Product Support remedial services,
consulting services for planning, designing, and implementing a
custom security system are also available.
A variety of service options are available from Digital. For more
information, contact your local Digital office.
4
SOFTWARE WARRANTY
As with any security product, POLYCENTER Security ID for SunOS soft-
ware should be considered part of an overall security plan. Customers
are encouraged to follow industry-recognized security practices and
not rely on any single security product or service to provide complete
protection.
Warranty for this software product is provided by Digital with the pur-
chase of a license for the product as defined in the Software Warranty
Addendum of this SPD.
R! HP and HP-UX are registered trademarks of Hewlett-Packard Company,
Inc.
R! IBM and AIX are registered trademarks of International Business
Machines Corporation.
R! SPARC is a registered trademark of SPARC International, Inc.
licensed exclusively to Sun Microsystems, Inc.
R! Sun is a registered trademark of Sun Microsystems, Inc.
R! UNIX is a registered trademark of UNIX Systems Laboratory, Inc.
TM!The DIGITAL logo, Digital, OpenVMS, POLYCENTER, and ULTRIX are
trademarks of Digital Equipment Corporation.
All other trademarks and registered trademarks are the property of their
respective holders.
5
System
Support
Addendum
___________________________________________________________________
___________________________________________________________________
PRODUCT NAME: POLYCENTER Security Intrusion SSA 43.09.00-B
Detector for SunOS, Version 1.0
HARDWARE REQUIREMENTS
Processors Supported:
Sun 4/110, 4/150, 4/260, 4/280
SPARCstation 2
The following processors have not been tested. However, as they sup-
port the SunOS Basic Security Module (BSM), it is expected that this
product will run on these processors.
SPARCstation SLC,
SPARCstation IPC,
SPARCstation IPX,
SPARCstation 1,
SPARCstation 1+,
SPARCsystem 330,
SPARCsystem 470,
SPARCserver 390,
SPARCserver 490
Other Hardware Required:
To install POLYCENTER Security Intrusion Detector for SunOS software,
the system must support a QIC tape drive.
DIGITAL May 1993
AE-PU9PB-TE
Disk Space Requirements
Disk space required for installation:
Base Kit: 2,000 Kbytes
Manager Interface: 2,000 Kbytes
POLYCENTER Framework Kit: 50 Kbytes
Disk space required for use (permanent):
Manager Interface: 2,000 Kbytes
POLYCENTER Framework Kit: 50 Kbytes
These counts refer to the disk space required on the system disk. The
sizes are approximate; actual sizes may vary depending on the user's
system environment, configuration, and software options.
SOFTWARE REQUIREMENTS
SunOS Operating System V4.1.1 or V4.1.2
Basic Security Module (BSM)
OpenWindows V2.0 or V3.0
GROWTH CONSIDERATIONS
The minimum hardware/software requirements for any future version of
this product may be different from the minimum requirements for the
current version.
DISTRIBUTION MEDIA
18-track QIC 150 streaming tape
CD-ROM
2
ORDERING INFORMATION
Licenses: QL-NB8A*-**
Software Media: QA-NB8A*-**
Software Documentation: QA-NB8A*-GZ
Software Product Services: QT-NB8A*-**
* Denotes variant fields. For additional information on available
licenses, services, and media, refer to the appropriate price book.
The above information is valid at time of release. Please contact your
local Digital office for the most up-to-date information.
R! SPARC is a registered trademark of SPARC International, Inc.
licensed exclusively to Sun Microsystems, Inc.
R! Sun is a registered trademark of Sun Microsystems, Inc.
TM! SPARCstation is a trademark of Sun Microsystems, Inc.
TM! The DIGITAL logo, Digital, and POLYCENTER are trademarks of
Digital Equipment Corporation.
All other trademarks and registered trademarks are the property of
their respective holders.
3