HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

0x2 IDDS_MODE_NONBLOCK

Do not block the

reader of

/dev/idds

when no audit

data is available.

0x4 IDDS_MODE_STATUS_ON

Gather statistics

on the audit

system.

Example settings are:

IDDS_MODE 0

Turn off status gathering and block

processes if audit data is generated

faster than the agent can consume

it. This option sacrifices system

performance for totally reliable

information gathering.

IDDS_MODE 2

Gather status information on

numbers of audit records read or

written but still block the kernel. Do

not drop audit records in the kernel

but a read of /dev/idds will return

immediately if no data is available.

IDDS_MODE 4

Gather status information on

numbers of audit records read or

written but still block the kernel.

IDDS_MODE 7

Gather status information, but do

not block the processes. Instead,

audit records will be dropped if

there is no space to read them into.

This option sacrifices reliability of

information for system

performance.

Recommended settings:

IDDS_MODE 2

Provides greater security at expense

of performance.

IDDS_MODE 3

Provides performance at the

expense of lost audit data, which

could lead to missed intrusion

attempts.

LOW_WATERMARK

When audit records have been dropped and then are

no longer being dropped, this watermark specifies the

maximum percent of space in the high channel that

must be in use before a notification message is sent to

the main idsagent process to indicate that audit

244 The Agent Configuration File