Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

221

222

223

224

225

226

227

228

229

230

The Agent Conﬁguration File

Appendix E

215

The Agent Conﬁguration File

The HP-UX HIDS agent requires a conﬁguration ﬁle named ids.cf, located in the

directory /etc/opt/ids, which describes the location of various required binaries, and

also stores some detection template speciﬁc data. See ids.cf (5). IDS users are strongly

discouraged from editing the conﬁguration ﬁle (except as explicitly directed), as it may

cause failure of the IDS agent software. However, it may be useful to understand some of

the parameters and settings to aid debugging and/or installation.

The conﬁguration ﬁle has ﬁve sections:

1. Global Conﬁguration: Parameters that deﬁne the overall product structure. The

logging and interface parameters may be edited by the administrator. See “Global

Conﬁguration” on page 216.

2. Correlator Conﬁguration: Parameters related to the correlator.

DO NOT EDIT THIS SECTION

3. Data Source Process (DSP) Conﬁguration: A section per-DSP that deﬁnes the system

ﬁles to monitor and level of kernel blocking. See “Data Source Process Conﬁguration”

on page 217.

4. Pattern Mapping Section: The HP-UX HIDS detection templates.

DO NOT EDIT THIS SECTION

5. Remote Communication Section: Parameters required for network communications.

See “Remote Communication Conﬁguration” on page 219.

Forcing Active Agent to Reread Conﬁguration File

If you make changes to the agent conﬁguration ﬁle located in ids.cf, you must instruct

the agent process idsagent to reread the conﬁguration information. On the system that

is running the agent:

1. Become user ids:

$ su - ids

2. Send the hangup signal to the agent process ID:

$ kill -HUP $(cat /var/opt/ids/idsagent.pid)

The idsagent process rereads the conﬁguration ﬁle and reactivates the current

surveillance schedule, if any.

Log File Rotation

Both the IDS_ERRORFILE ﬁle and the IDS_ALERTFILE ﬁle, described in “Global

Conﬁguration” on page 216, are designed to support log rotation. If the ﬁle names are

changed on the system while the HP-UX HIDS agent software is running, the agent

software will recreate the ﬁles as deﬁned in Table E-1 and continue to log to the newly

created ﬁles. Log rotation permits periodic archiving of alerts or errors.