HP Host Intrusion Detection System (HIDS) 3.2.2.1.1 System performance over security, 3.2.2.1.2 Security over system performance, 3.2.2.1.3 How to change from non-blockingto blocking mode, prevent

3.2.2.1.1 System performance over security

The default setting for an HIDS agent is “non-blocking” mode because, in certain cases, it is possible that blocking mode may have an overall negative impact on system performance. For example, one may find that many processes are suspended because the audit record buffer is full. The total system throughput may therefore be reduced. Use “non-blocking” mode if system performance takes precedence over security.

3.2.2.1.2 Security over system performance

In the “blocking” mode, no data is discarded before the agent can process it. As no data is discarded, there is less likelihood that an intrusion will be missed. Thus this setting places a premium on security.

3.2.2.1.3 How to change from non-blocking to blocking mode

The mode setting is controlled by the IDDS_MODE entry in the ids.cf configuration file (default location is /etc/opt/ids/ids.cf).

The IDDS_MODE entry in the ids.cf file can be set to one of the following values: 2 - blocking mode

3 - non-blocking mode (default)

The ids.cf file must be reread and any running HIDS surveillance schedule must be restarted before the change to ids.cf takes effect (no reboot is required). See the HIDS Administrators Guide in Appendix E for more details on configuring and rereading the ids.cf configuration file.

3.2.2.2 Kernel Tunables

3.2.2.2.1enable_idds

This tunable is automatically set to 1 when HIDS is installed. This tunable must be set to 1 in order for IDDS to produce system call audit records that are needed by the HP-UX HIDS file related templates to detect intrusions. This tunable can be set to 0 to disable IDDS.

3.2.2.2.2max_thread_proc

You need to ensure that the system on which the HIDS System Manager is running provides enough threads per process to handle the maximum number of agent systems you will monitor at one time. See “Enabling Over 23 Agents (Thread Limits)” in the Configuration Chapter of the HP-UX HIDS Administrator’s Guide for details.

3.2.2.2.3tcp_conn_request_max

The HIDS System Manager communicates with agent systems using the TCP protocol. On some systems, the TCP parameter, tcp_conn_request_max, is set initially to allow up to 20 inbound requests to be active at one time. If you have a larger number of agent systems, this value will be inadequate. If this is a problem, an agent’s error log will contain messages like “write_msg: error opening connection to remote host...,” “open_connection: connect error,” and “open_connection: Timed out waiting on select() for connect to complete.” You can view and change this parameter with the ndd command. See “Enabling Over 20 Inbound Requests” in the Configuration Chapter of the HP-UX HIDS Administrator’s Guide for details.

3.2.2.2.4secure_sid_scripts

Starting with 11i v1.6, the execution of setuid scripts, which is vulnerable to race condition attacks, is prevented if this tunable is set (enabled by default). Enabling this tunable will prevent setuid script

HP Company Internal

Page 9 of 20