Manualshelf

User's Guide

ManualsBrandsHP ManualsSoftwareHP Host Intrusion Detection System (HIDS)
12345678910
The memory consumption of the HIDS agent processes is charted against the rate of system call
audit records (events) in Appendix B.
3.1.4 Disk Capacity
One of the main functions of HIDS is to log alerts locally to disk on the server being monitored. By
default, the log file used is /var/opt/ids/alert.log. The amount of alerts will vary depending on what
HIDS is configured to monitor and the load activity on the system. The continuous operation of HIDS
can produce many alerts and can therefore consume a large amount of disk space. In addition, a 20
megabyte memory mapped file is created in /var/opt/ids. It is recommended to allocate at least
100MB to the disk partition that contains /var/opt/ids on each system running the HIDS agent. The
amount of disk space needed can be mitigated by performing log rotation of alert.log.
For swap, the HIDS agent requires between 97 MB and 157 MB.
3.2 Tuning Considerations
3.2.1 Product Tuning
3.2.1.1 Tuning the Surveillance Schedules
3.2.1.1.1 Background
A surveillance schedule contains one or more surveillance groups. A surveillance group defines a
collection of detection templates, their corresponding configurations, and when the templates are
scheduled to run. A detection template may exist in more than one surveillance group, but each
surveillance group may have at most one template instance of a particular template.
One can configure each detection template in the group with details specific to the threats to protect
against. For example, a surveillance group named "WebServer" may contain three templates:
Creating SetUID files, Changes to files/directories and Monitor logins/logouts. In this example, the
Changes to files/directories template can be configured to monitor the changes to files and directories
under /etc/opt/httpd.
3.2.1.1.2 Avoid duplicate copies of a template
It is possible to place the same detection template in two or more surveillance groups. However, if the
groups are scheduled to run concurrently in a surveillance schedule then multiple copies of a
detection template will be executing concurrently. A performance penalty will be incurred from running
more than one instance of the same template.
Try to schedule surveillance groups with duplicate templates to run at different times.
3.2.1.1.3 Avoid duplicate groups with overlapping functionality
A surveillance group should contain the least number of templates required to be effective, and no
more. One can reduce the likelihood of duplicate templates by keeping surveillance groups as small
as possible.
HP Company Internal Page 7 of 20