HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

D The Agent Configuration File

This appendix describes the user-configurable options that can be modified in the HP-UX HIDS

agent configuration file, which is located in /etc/opt/ids/ids.cf. This appendix addresses

the following topics:

• “The Agent Configuration File” (page 182)

• “Forcing Active Agent to Reread Configuration File” (page 182)

• “Log File Rotation” (page 182)

• “Global Configuration” (page 183)

• “Data Source Process Configuration” (page 184)

• “Remote Communication Configuration” (page 186)

The Agent Configuration File

The HP-UX HIDS agent requires a configuration file named ids.cf, located in the directory /etc/

opt/ids. See ids.cf(4) for details. There is usually no need to modify the configuration file; any

modifications should be made with caution after reading the ids.cf man page. However, it may

be useful to understand some of the parameters and settings to aid debugging and installation.

The configuration file contains four sections:

1. Global Configuration: Parameters that define the overall product structure. The logging and

interface parameters may be edited by the administrator. See “Global Configuration”

(page 183).

2. Correlator Configuration: Parameters related to the correlator. A parameter can be configured

to take measurements of the system call event rate. See “Correlator Process Configuration”

(page 183).

3. Data Source Process (DSP) Configuration: A section per-DSP that defines the system files to

monitor and level of kernel blocking. See “Data Source Process Configuration” (page 184).

4. Remote Communication Section: Parameters required for network communications. See “Remote

Communication Configuration” (page 186).

Forcing Active Agent to Reread Configuration File

If you make changes to the agent configuration file located in ids.cf, you must instruct the agent

process idsagent to reread the configuration information. On the system that is running the

agent:

1. Become user ids:

$ su - ids

2. Send the hangup signal to the agent process ID:

$ kill -HUP $(cat /var/opt/ids/idsagent.pid)

The idsagent process rereads the configuration file and reactivates the current surveillance

schedule, if any.

Log File Rotation

Both the IDS_ERRORFILE file and the IDS_ALERTFILE file, described in “Global Configuration”

(page 183), are designed to support log rotation. If the file names are changed on the system while

the HP-UX HIDS agent software is running, the agent software will recreate the files as defined in

Table 52 and continue to log to the newly created files. Log rotation permits periodic archiving of

alerts or errors.

To rotate a log file, use the mv command. For example:

% mv /var/opt/ids/alert.log /home/ids/alert.log_Jan_06

182 The Agent Configuration File