Host Intrusion Detection System Administrator's Guide Release 3.0
The Agent Configuration File
Data Source Process Configuration
Appendix E
218
Controls how the kernel will act if idsagent cannot keep up with the
rate of data generated. Its value is the bitwise OR of the following
flags:
0x1 IDDS_MODE_DROP
Do not block kernel (drop audit records) if buffer is
full
0x2 IDDS_MODE_NONBLOCK
Do not block the reader of /dev/idds when no audit
data is available
0x4 IDDS_MODE_STATUS_ON
Gather statistics on the audit system
Example settings are:
IDDS_MODE 0 Turn off status gathering and block processes if audit
data is generated faster than the agent can consume
it. This option sacrifices system performance for
totally reliable information gathering.
IDDS_MODE 2 Gather status information on numbers of audit
records read or written but still block the kernel. Do
not drop audit records in the kernel but a read of
/dev/idds will return immediately if no data is
available.
IDDS_MODE 4 Gather status information on numbers of audit
records read or written but still block the kernel.
IDDS_MODE 7 Gather status information, but do not block the
processes. Instead, audit records will be dropped if
there is no space to read them into. This option
sacrifices reliability of information for system
performance.
Recommended settings:
IDDS_MODE 2 Provides greater security at expense of performance.
IDDS_MODE 3 Provides performance at the expense of lost audit
data, which could lead to missed intrusion attempts.
LOW_WATERMARK
When audit records have been dropped and then are no longer being
dropped, this watermark specifies the maximum percent of space in
the high channel that must be in use before a notification message is
sent to the main idsagent process to indicate that audit records are no
longer being dropped. The default is 80 (percent).