HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

Global Configuration

The Global section is bracketed by the [global]...[END] keywords. Only the parameters in

Table 52 may be edited.

CAUTION: Do not edit any other variables between [global] and its [END] tag.

Table 52 Global Configuration Variables

Default ValueName

/var/opt/ids/alert.logIDS_ALERTFILE

/var/opt/ids/error.logIDS_ERRORFILE

""IDS_LISTEN_IFACE

/opt/ids/rt_responseIDS_RT_RESPONSE_DIR

/opt/ids/responseIDS_RESPONSE_DIR

They are defined as follows:

IDS_ALERTFILE The full path name to the alert log file for this HP-UX HIDS agent

process. Any alerts resulting from intrusive activity detected by the

agent software will be logged to this file.

IDS_ERRORFILE The full path name to the error log file for this HP-UX HIDS agent

process. Any errors generated in the operation of the agent software

will be logged to this file.

IDS_LISTEN_IFACE The IP address or host name associated with the agent system’s

network interface card.

On a system with only one IP address, this parameter does not need

to be specified.

On a multihomed system (a system with more than one network

interface card) this parameter is required. See “Configuring a

Multihomed Agent System” (page 29) for configuration information.

IDS_RT_RESPONSE_DIR The full path name to the automated response directory, containing

executable binary or script programs that are executed on the agent

node. These programs are executed when a real-time alert is

generated and when both the Alert Aggregation and the Real Time

Alerts options are enabled. The programs can take any actions that

you deem appropriate. For more information on writing response

scripts, see Appendix B (page 150). For more information about how

real time alerts can be generated when alert aggregation is enabled,

see “Configuring Alert Aggregation” (page 67).

IDS_RESPONSE_DIR The full path name to the automated response directory containing

executable binary or script programs that are executed on the agent

node. These programs are executed either when alert aggregation

is disabled and any alert is generated or when alert aggregation

is enabled and an aggregated alert or an alert that is not or cannot

be aggregated is generated. The programs can take any actions

that you deem appropriate. For information on writing response

scripts, see Appendix B (page 150).

For more information about different types of alerts that can be generated when alert aggregation

is enabled, see “Configuring Alert Aggregation” (page 67).

Correlator Process Configuration

The correlator section is bracketed by the [Correlator] ... [END] keywords. Only the parameters

in Table E-2 may be edited.

Global Configuration 187