HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
The first entry, for the system log DSP which monitors various system log files, has no
modifiable parameters. The second entry is for the kernel audit data DSP.
CAUTION: Do not edit any variables in the system log DSP section (between [DSP]
NAME idskernDSP and its [END] tag).
Kernel Audit Data DSP
In the section beginning with
[DSP]
NAME idskernDSP
only the parameters in Table D-3 may be edited.
CAUTION: Do not edit any other variables between [DSP] NAME idskernDSP and
its [END] tag.
Table D-3 DSP idskernDSP Parameters
Default ValueName
480 (minutes)DROP_NOTIFY_INTERVAL
3 (dropping mode) for the IDDS_MODE default value entry.IDDS_MODE
50 (percent)LOW_WATERMARK
They are defined as follows:
DROP_NOTIFY_INTERVAL
The number of minutes that the kernel DSP will wait
before sending another status message that either audit
records are still being dropped (due to heavy load) or
are no longer being dropped because IDS has caught
up with the system call audit stream. When audit
records are first dropped, the kernel DSP will send a
“dropping audit records” message to the main
idsagent process. After DROP_NOTIFY_INTERVAL
minutes have elapsed and if audit records are still being
dropped, the kernel DSP will send a “dropping audit
records” reminder message; otherwise, it will send a
“no longer dropping audit records” message. The
default value is 480 (minutes).
IDDS_MODE
Controls how the kernel will act if idsagent cannot keep
up with the rate of data generated. Its value is the
bitwise OR of the following flags:
0x1 IDDS_MODE_DROP
Do not block
kernel (drop
audit records) if
buffer is full.
Data Source Process Configuration 243