3.2.2.1.1 System performance over security
The default setting for an HIDS agent is
3.2.2.1.2 Security over system performance
In the “blocking” mode, no data is discarded before the agent can process it. As no data is discarded, there is less likelihood that an intrusion will be missed. Thus this setting places a premium on security.
3.2.2.1.3 How to change from non-blocking to blocking mode
The mode setting is controlled by the IDDS_MODE entry in the ids.cf configuration file (default location is /etc/opt/ids/ids.cf).
The IDDS_MODE entry in the ids.cf file can be set to one of the following values: 2 - blocking mode
3 -
The ids.cf file must be reread and any running HIDS surveillance schedule must be restarted before the change to ids.cf takes effect (no reboot is required). See the HIDS Administrators Guide in Appendix E for more details on configuring and rereading the ids.cf configuration file.
3.2.2.2 Kernel Tunables
3.2.2.2.1enable_idds
This tunable is automatically set to 1 when HIDS is installed. This tunable must be set to 1 in order for IDDS to produce system call audit records that are needed by the
3.2.2.2.2max_thread_proc
You need to ensure that the system on which the HIDS System Manager is running provides enough threads per process to handle the maximum number of agent systems you will monitor at one time. See “Enabling Over 23 Agents (Thread Limits)” in the Configuration Chapter of the
3.2.2.2.3tcp_conn_request_max
The HIDS System Manager communicates with agent systems using the TCP protocol. On some systems, the TCP parameter, tcp_conn_request_max, is set initially to allow up to 20 inbound requests to be active at one time. If you have a larger number of agent systems, this value will be inadequate. If this is a problem, an agent’s error log will contain messages like “write_msg: error opening connection to remote host...,” “open_connection: connect error,” and “open_connection: Timed out waiting on select() for connect to complete.” You can view and change this parameter with the ndd command. See “Enabling Over 20 Inbound Requests” in the Configuration Chapter of the
3.2.2.2.4secure_sid_scripts
Starting with 11i v1.6, the execution of setuid scripts, which is vulnerable to race condition attacks, is prevented if this tunable is set (enabled by default). Enabling this tunable will prevent setuid script
HP Company Internal | Page 9 of 20 |