------------- RELEASE NOTES ------------- POLYCENTER Security Intrusion Detector for OSF/1 Version 1.2 1. System Prerequisites In order to run ID on your system you need to have the Enhanced Security files installed on your system but Enhanced security does not need to be running. 2. Other documentation 2.1. User's Guide The POLYCENTER Security Intrusion Detector for DEC OSF/1 User's Guide provides the information needed to run ID and it's associated programs. Please read the errata section of these release notes for errors and omissions in the documen- tation. 2.2. Installation Guide The POLYCENTER Security Intrusion Detector for DEC OSF/1 Installation Guide provides the information required to install ID on your system. Please read the errata section of these release notes for errors and omissions in the docu- mentation. 2.3. DEC OSF/1 enhanced security manual The DEC OSF/1 Enhanced Security Manual (Part# AA-Q0R2A-TE) provides in depth information on the DEC OSF/1 Enhanced Security Subsystem. It is recommended that the user is fam- iliar with this information before installing ID, especially Chapter 9. 2.4. Man pages The following standard man pages are shipped in the kit: ID file formats - id.conf(5) hosts.id(5) ID commands - id_commands(8) id_cui(8) id_gui(8) id_mond(8) iddel(8) idshow(8) idsts(8) 3. Documentation updates and errata 4. System and environment issues 4.1. Disk space requirements The entire distribution of ID fits comfortably into 5 MB. Most of this is installed in /usr/opt so there must be at least 5 MB free on that filesystem. 5. Terminate Session Countermeasure This is a description of the exact behaviour of the Ter- minate Session countermeasure. 5.1. What Terminate Session does When it is decided to terminate a session ID determines the terminal associated with the session. It kills all processes in the process group of the errant process (if that process is still extant). ID then proceeds to kill all processes associated with the terminal with which the errant process was associated. It currently does this by sending each process a KILL signal (this will be changed for the final release). 5.2. The observed behaviour of Terminate Session As all processes associated with the terminal are killed the user is logged out of the terminal, and in the case of an X-Windows based terminal emulator (eg xterm or DECterm) the terminal emulator dies with its shell. The Terminate Session code will not affect any other ses- sions that the same user might have on the machine. 5.3. Delays in Terminate Session The countermeasure will sometimes be effected immediately and sometimes it may take some seconds while ID processes prior audit events. 5.4. Inability to use standard Xt arguments for id_gui Standard Xt command lines such as: id_gui -fg red id_gui -display dopey:0 fail with the following sort of error: "Error opening host data base file: -fg" "Error opening host data base file: -display" The work around is to nominate a hosts database on the com- mand line first: id_gui /var/adm/id/hosts.id -fg red id_gui /var/adm/id/hosts.id -display dopey:0 6. Outstanding Errors 1) If the "idshow" command is executed with an invalid host- name and no additional attribute information, the error mes- sages displayed are incorrect and should be ignored. The correct message should be "Invalid Command Line Parameters". 2) If the "idshow" command is executed with an invalid host- name followed by a "-e [event-id]" or "-c [case-id]" attri- bute. The program will repeatedly display error messages. This may be stopped by pressing "Ctrl C". 3) If the "iddel" command is executed with an invalid host- name and no additional attribute information, the error messages displayed are incorrect and should be ignored. The correct message should be "Invalid Command Line Parameters". 4) If the "iddel" command is executed with and invalid host- name followed by a "-c [case-id]" attribute. The program will repeatedly display error messages. This may be stopped by pressing "Ctrl C".