Host Intrusion Detection System (HIDS) v3.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
Contents 1.1 PRODUCT IDENTIFICATION ............................................................................................... 4 1.2 PURPOSE OF DOCUMENT .................................................................................................. 4 1.2 INTENDED AUDIENCE ....................................................................................................... 4 1.3 GLOSSARY ...............................................................................................................
1.0 INTRODUCTION 1.1 Product Identification Product Name: HP-UX HIDS Product Number: HPUX-HIDS Product Version/Release: 3.1 1.2 Purpose of Document This document provides basic sizing and tuning guidelines for HP-UX Host Intrusion Detection System (HIDS). The sizing guidelines are generated using a purely artificial load-generating environment that generates a constant stream of system call audit records that HIDS processes (see Appendix A for details).
2.0 OVERVIEW 2.1 Product Overview HP-UX HIDS is an HP-UX host intrusion detection product that can enhance local host-level security within your network. It does this by automatically monitoring each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If successful, such intrusions could lead to the loss of availability of key systems or could compromise system integrity.
3.0 Sizing and Tuning Recommendations 3.1 Sizing Guidelines Any HP-UX platform that supports HP-UX 11iv1 or 11iv2 can be utilized to run HIDS. selecting a server platform for HIDS deployments, consider the following system parameters: • Single vs Multi-Processor • Number of CPUs • Memory • Disk Capacity When Note: These sizing guidelines apply to servers running the HIDS agent sensor and not the HIDS System Manager (GUI). 3.1.1 Single vs.
The memory consumption of the HIDS agent processes is charted against the rate of system call audit records (events) in Appendix B. 3.1.4 Disk Capacity One of the main functions of HIDS is to log alerts locally to disk on the server being monitored. By default, the log file used is /var/opt/ids/alert.log. The amount of alerts will vary depending on what HIDS is configured to monitor and the load activity on the system.
3.2.1.1.4 Race Condition Template The race condition template imposes the highest CPU and memory overhead on the system. Use this template with care if concerned about CPU utilization. 3.2.1.2 Tuning Process Priority The HIDS idscor process performs the CPU and memory intensive operation of executing the detection templates that process the events.
3.2.2.1.1 System performance over security The default setting for an HIDS agent is “non-blocking” mode because, in certain cases, it is possible that blocking mode may have an overall negative impact on system performance. For example, one may find that many processes are suspended because the audit record buffer is full. The total system throughput may therefore be reduced. Use “non-blocking” mode if system performance takes precedence over security. 3.2.2.1.
race condition attacks, while the HP-UX HIDS Race Condition template will detect them. See the secure_sid_scripts(5) man page for details. Even if the secure_sid_scripts tunable is enabled to prevent setuid script attacks, you might still want to run the Race Condition template to detect other types of race condition attacks (see the Administration Guide in Appendix A for more details on what the Race Condition template detects). 3.2.2.2.
4.0 Reference Documents/ Web sites Refer to the Administrator’s Guide and Release Notes for the latest release at http://docs.hp.com. HP-UX HIDS can be downloaded from http://sofware.hp.com.
Appendix A – CPU Consumption The charts below show the CPU consumption of all HIDS processes for various systems when an artificially created rate of system call audit records (events) are applied on the system and when certain HIDS templates are running. The “File Templates” include the “Modification of Files/Directories, “Creation of world-writable files,” “Creation and modification of SETUID files,” “Modification of another user’s files”, and “Changes to log files.
CPU Consumption on PA Processors The graphs below show that the CPU consumption of HIDS processes increases as the event load is increased.
8 Way PA 30000 Event/sec 25000 20000 All Templates File Templates 15000 RC Template 10000 5000 0 0 50 100 150 200 250 CPU % 16 Way PA 30000 Events/sec 25000 20000 All Templates File Templates 15000 RC Template 10000 5000 0 0 50 100 CPU % HP Company Internal Page 14 of 20 150
CPU Consumption on Itanium Processors The graphs below show that the CPU consumption of HIDS processes increases as the event load is increased. For any given event rate, the CPU consumption is less than on PA systems by a significant amount (between approximately 30-80%).
8 Way IA 30000 Events/sec 25000 20000 All Templates File Templates 15000 RC Template 10000 5000 0 0 20 40 60 80 CPU % 16 Way IA 30000 Events/sec 25000 20000 All Templates File Templates 15000 RC Template 10000 5000 0 0 20 40 60 80 CPU % HP Company Internal Page 16 of 20 100
Appendix B – Resident Memory Consumption The charts below show the resident memory consumption of all HIDS processes for various systems when an artificially created rate of system call audit records (events) are applied on the system and when certain HIDS templates are running. See Appendix A above for the definition of which templates constitute the “File Templates” and how to measure the event rates on your system.
8 Way PA 30000 Events/sec 25000 20000 All Templates File Templates 15000 RC Template 10000 5000 0 40000 42000 44000 46000 48000 Resident Memory (KB) 16 Way PA 30000 Events/sec 25000 20000 All Templates File Templates 15000 RC Template 10000 5000 0 42000 43000 44000 45000 46000 47000 48000 Resident Memory (KB) HP Company Internal Page 18 of 20
Memory Consumption on Itanium Processors The graphs below show that the memory consumption of HIDS processes stays within 3-4 megabytes as the event load is increased.
8 Way IA 30000 Events/sec 25000 20000 All Templates File Templates 15000 RC Template 10000 5000 0 0 20000 40000 60000 80000 Resident Memory (KB) 16 Way IA 30000 Events/sec 25000 20000 All Templates File Templates 15000 RC Template 10000 5000 0 0 20000 40000 60000 Resident Memory (KB) HP Company Internal Page 20 of 20 80000
