HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

191

192

193

194

195

196

197

198

199

200

D The Agent Configuration File

This appendix describes the user-configurable options that can be modified in the HP-UX HIDS

agent configuration file, which is located in /etc/opt/ids/ids.cf. This appendix addresses

the following topics:

• “The Agent Configuration File” (page 191)

• “Forcing Active Agent to Reread Configuration File” (page 191)

• “Log File Rotation” (page 191)

• “Global Configuration” (page 192)

• “Data Source Process Configuration” (page 194)

• “Remote Communication Configuration” (page 195)

The Agent Configuration File

The HP-UX HIDS agent requires a configuration file named ids.cf, located in the directory

/etc/opt/ids. See ids.cf(4) for details. There is usually no need to modify the configuration

file; any modifications should be made with caution after reading the ids.cf man page. However,

it may be useful to understand some of the parameters and settings to aid debugging and

installation.

The configuration file contains four sections:

1. Global Configuration: Parameters that define the overall product structure. The logging and

interface parameters may be edited by the administrator. See “Global Configuration”

(page 192).

2. Correlator Configuration: Parameters related to the correlator. A parameter can be configured

to take measurements of the system call event rate. See “Correlator Process Configuration”

(page 193).

3. Data Source Process (DSP) Configuration: A section per-DSP that defines the system files

to monitor and level of kernel blocking. See “Data Source Process Configuration” (page 194).

4. Remote Communication Section: Parameters required for network communications. See

“Remote Communication Configuration” (page 195).

Forcing Active Agent to Reread Configuration File

If you make changes to the agent configuration file located in ids.cf, you must instruct the

agent process idsagent to reread the configuration information. On the system that is running

the agent:

1. Become user ids:

$ su - ids

2. Send the hangup signal to the agent process ID:

$ kill -HUP $(cat /var/opt/ids/idsagent.pid)

The idsagent process rereads the configuration file and reactivates the current surveillance

schedule, if any.

Log File Rotation

Both the IDS_ERRORFILE file and the IDS_ALERTFILE file, described in “Global Configuration”

(page 192), are designed to support log rotation. If the file names are changed on the system while

the HP-UX HIDS agent software is running, the agent software will recreate the files as defined

in Table D-1 and continue to log to the newly created files. Log rotation permits periodic archiving

of alerts or errors.

To rotate a log file, use the mv command. For example:

% mv /var/opt/ids/alert.log /home/ids/alert.log_Jan_06

The Agent Configuration File 191