HP Host Intrusion Detection System (HIDS) 3.2 Tuning Considerations, 3.1.4 Disk Capacity, 3.2.1 Product Tuning, 3.2.1.1.1 Background, 3.2.1.1.2 Avoid duplicate copies of a template

The memory consumption of the HIDS agent processes is charted against the rate of system call audit records (events) in Appendix B.

3.1.4 Disk Capacity

One of the main functions of HIDS is to log alerts locally to disk on the server being monitored. By default, the log file used is /var/opt/ids/alert.log. The amount of alerts will vary depending on what HIDS is configured to monitor and the load activity on the system. The continuous operation of HIDS can produce many alerts and can therefore consume a large amount of disk space. In addition, a 20 megabyte memory mapped file is created in /var/opt/ids. It is recommended to allocate at least 100MB to the disk partition that contains /var/opt/ids on each system running the HIDS agent. The amount of disk space needed can be mitigated by performing log rotation of alert.log.

For swap, the HIDS agent requires between 97 MB and 157 MB.

3.2 Tuning Considerations

3.2.1 Product Tuning

3.2.1.1 Tuning the Surveillance Schedules

3.2.1.1.1 Background

A surveillance schedule contains one or more surveillance groups. A surveillance group defines a collection of detection templates, their corresponding configurations, and when the templates are scheduled to run. A detection template may exist in more than one surveillance group, but each surveillance group may have at most one template instance of a particular template.

One can configure each detection template in the group with details specific to the threats to protect against. For example, a surveillance group named "WebServer" may contain three templates: Creating SetUID files, Changes to files/directories and Monitor logins/logouts. In this example, the Changes to files/directories template can be configured to monitor the changes to files and directories under /etc/opt/httpd.

3.2.1.1.2 Avoid duplicate copies of a template

It is possible to place the same detection template in two or more surveillance groups. However, if the groups are scheduled to run concurrently in a surveillance schedule then multiple copies of a detection template will be executing concurrently. A performance penalty will be incurred from running more than one instance of the same template.

Try to schedule surveillance groups with duplicate templates to run at different times.

3.2.1.1.3 Avoid duplicate groups with overlapping functionality

A surveillance group should contain the least number of templates required to be effective, and no more. One can reduce the likelihood of duplicate templates by keeping surveillance groups as small as possible.