This document describes how to intall GrIDS on your system. Since we are still in the very early stages of off-site GrIDS distribution there will probably be many initial questions. Please direct questions to rowe@cs.ucdavis.edu Requirements: Perl 5.004 PerlTk for the GUI Solaris 2.5 or greater to run the tcpdump binary rsh trust relationship to start distributed processes Installation: 1) Unpack the distributed tar archive tar -xvf grids.tar to make the following subdirectories ./grids/bin - contains the tcpdump binary and bitmaps for the gui ./grids/common - perl packages used by all modules ( e.g. communications, logging, host and department objects ) ./grids/engine - core packages implementing the main graph building engine ./grids/module_controller - program that must be run on each host. Starts and stops all GrIDS software modules. ./grids/ohs - Organization Hierarchy Server. Maintains the authoritative view of the GrIDS hierarchy and grants/denies permission to make modifications ./grids/rule_functions - Perl functions used by rulesets ./grids/rulesets - rulesets defining how incoming reports are incorporated into graphs and when graphs represent attacks. ./grids/sm - Software Manager. Manages all modules current running in a department. ./grids/sniffer - Perl wrappers for datasources ./grids/user_interface - Modules and scripts for intracting with GrIDS. GrIDS tartup, shutdown and modification is done here. 2) Define the following environment variables GRIDSPATH - grids directory created when unpacking the tar archive PERLLOC - location of the Perl 5.004 binary TCPDUMPLOC - location of the GrIDS tcpdump binary. Usually this is simply $GRIDSPATH/bin 3) Set-uid root on the tcpdump binary. Normally, ordinary users don't have permission to monitor the network interface via tcpdump. A solution is to set the ownership of tcpdump to root and set the permission bit to run as the owner. To obviate the security risk that this entails, allow only members in the same group as tcpdump's to execute the tcpdump binary. It's convienient to create a special group for this file and add users authorized to monitor network traffic. % chown root tcpdump % chmod 4750 tcpdump % chgrp monitor tcpdump 4) Allow rsh commands from the host where GrIDS is launched. All hosts monitored by GrIDS will need to run at least one perl process; a module controller, and possibly more. For convienience, all distributed processes are launched from a single host. This is currently done via the rsh command. This requires a valid user account on each machine with an entry in it's .rhosts file allowing the launch host to execute the rsh command there. 5) Run GrIDS Starting, stopping and modification of a GrIDS session is done using the the perl script, $GRIDSPATH/user_interface/grids The initial configuration of hosts into a hierarchy of departments is specified in the file, $GRIDSPATH/user_interface/grids.db Once GrIDS is started and running, a PerlTk GUI controller and attack reporter can be found in $GRIDSPATH/user_interface/ui.pl Additional information about running GrIDS can be found in the GrIDS User Guide. Direct questions and comments to rowe@cs.ucdavis.edu