HP Host Intrusion Detection System (HIDS) manual Agent Configuration File

The Agent Configuration File

The Agent Configuration File

The Agent Configuration File

The HP-UX HIDS agent requires a configuration file named ids.cf, located in the directory /etc/opt/ids, which describes the location of various required binaries, and also stores some detection template specific data. See ids.cf (5). IDS users are strongly discouraged from editing the configuration file (except as explicitly directed), as it may cause failure of the IDS agent software. However, it may be useful to understand some of the parameters and settings to aid debugging and/or installation.

The configuration file has five sections:

1.Global Configuration: Parameters that define the overall product structure. The logging and interface parameters may be edited by the administrator. See “Global Configuration” on page 216.

2.Correlator Configuration: Parameters related to the correlator.

DO NOT EDIT THIS SECTION

3.Data Source Process (DSP) Configuration: A section per-DSP that defines the system files to monitor and level of kernel blocking. See “Data Source Process Configuration” on page 217.

4.Pattern Mapping Section: The HP-UX HIDS detection templates.

DO NOT EDIT THIS SECTION

5.Remote Communication Section: Parameters required for network communications. See “Remote Communication Configuration” on page 219.

Forcing Active Agent to Reread Configuration File

If you make changes to the agent configuration file located in ids.cf, you must instruct the agent process idsagent to reread the configuration information. On the system that is running the agent:

1. Become user ids:

$ su - ids

2.Send the hangup signal to the agent process ID:

$ kill -HUP $(cat /var/opt/ids/idsagent.pid)

The idsagent process rereads the configuration file and reactivates the current surveillance schedule, if any.

Log File Rotation

Both the IDS_ERRORFILE file and the IDS_ALERTFILE file, described in “Global Configuration” on page 216, are designed to support log rotation. If the file names are changed on the system while the HP-UX HIDS agent software is running, the agent software will recreate the files as defined in Table E-1 and continue to log to the newly created files. Log rotation permits periodic archiving of alerts or errors.