HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

IDDS_MODE 2 Gather status information on numbers of

audit records read or written but still block

the kernel. Do not drop audit records in

the kernel but a read of /dev/idds will

return immediately if no data is available.

IDDS_MODE 4 Gather status information on numbers of

audit records read or written but still block

the kernel.

IDDS_MODE 7 Gather status information, but do not block

the processes. Instead, audit records will

be dropped if there is no space to read

them into. This option sacrifices reliability

of information for system performance.

Recommended settings:

IDDS_MODE 2 Provides greater security at expense of

performance.

IDDS_MODE 3 Provides performance at the expense of

lost audit data, which could lead to missed

intrusion attempts.

LOW_WATERMARK When audit records have been dropped and then are no

longer being dropped, this watermark specifies the maximum

percent of space in the high channel that must be in use before

a notification message is sent to the main idsagent process

to indicate that audit records are no longer being dropped.

The default is 50 (percent).

MONITOR_FAILED_ATTEMPTS This parameter can be used to override the

monitor_failed_attempt schedule global property. See

“Surveillance Schedule Section” (page 193) for details about

the monitor_failed_attempt schedule property.

Remote Communication Configuration

The remote communication configuration section lies between the [RemoteSA] and [END] tags.

Only the parameters in Table 55 may be edited.

CAUTION: Do not edit any other variables between [RemoteSA] and its [END] tag.

Table 55 Correlator Configuration Variables

Default ValueName

12IDS_CONNECT_TIMEOUT

12IDS_READ_TIMEOUT

12IDS_WRITE_TIMEOUT

60IDS_SSL_TIMEOUT

(hostname passed to IDS_importAgentKeys)REMOTEHOST

They are defined as follows:

IDS_CONNECT_TIMEOUT The timeout value in seconds for the agent to complete a network

connection with the administration system.

IDS_READ_TIMEOUT The timeout value in seconds for the agent to complete a network

read operation from the administration system.

IDS_WRITE_TIMEOUT The timeout value in seconds for the agent to complete a network

write operation to the administration system.

190 The Agent Configuration File