Professional Documents
Culture Documents
HP Company Internal
Page 1 of 20
Legal Notices
The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty. A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Office. Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies. Hewlett-Packard Company 19420 Homestead Road Cupertino, California 95014 U.S.A. Use of this manual is restricted to this product only. Copyright Notices copyright 1983-2005 Hewlett-Packard Development Company, LP. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws.
HP Company Internal
Page 2 of 20
Contents
1.1 PRODUCT IDENTIFICATION ............................................................................................... 4 1.2 PURPOSE OF DOCUMENT .................................................................................................. 4 1.2 INTENDED AUDIENCE ....................................................................................................... 4 1.3 GLOSSARY ....................................................................................................................... 4 2.1 PRODUCT OVERVIEW ....................................................................................................... 5 2.2 HP-UX HIDS DEPLOYMENTS ......................................................................................... 5 2.3 SIZING AND TUNING OVERVIEW ...................................................................................... 5
2.0 OVERVIEW...................................................................................................................... 5
3.0 SIZING AND TUNING RECOMMENDATIONS ........................................................ 6 3.1 SIZING GUIDELINES ......................................................................................................... 6 3.1.1 Single vs. Multi-Processor ....................................................................................... 6 3.1.2 Number of CPUs ...................................................................................................... 6 3.1.3 Memory .................................................................................................................... 6 3.1.4 Disk Capacity........................................................................................................... 7 3.2 TUNING CONSIDERATIONS ............................................................................................... 7 3.2.1 Product Tuning ........................................................................................................ 7 3.2.1.1 Tuning the Surveillance Schedules................................................................... 7 3.2.1.1.1 Background ................................................................................................ 7 3.2.1.1.2 Avoid duplicate copies of a template......................................................... 7 3.2.1.1.3 Avoid duplicate groups with overlapping functionality ............................ 7 3.2.1.1.4 Race Condition Template .......................................................................... 8 3.2.1.2 Tuning Process Priority..................................................................................... 8 3.2.1.3 Tuning the HIDS System Manager (GUI) ........................................................ 8 3.2.2 Kernel Tuning .......................................................................................................... 8 3.2.2.1 Tuning the Kernel Audit System (IDDS) ......................................................... 8 3.2.2.1.1 System performance over security............................................................. 9 3.2.2.1.2 Security over system performance............................................................. 9 3.2.2.1.3 How to change from non-blocking to blocking mode ............................... 9 3.2.2.2 Kernel Tunables ................................................................................................ 9 3.2.2.2.1 enable_idds ......................................................................................... 9 3.2.2.2.2 max_thread_proc................................................................................ 9 3.2.2.2.3 tcp_conn_request_max.................................................................... 9 3.2.2.2.4 secure_sid_scripts ........................................................................ 9 3.2.2.2.5 executable_stack ........................................................................... 10 3.2.2.2.6 maxdsiz................................................................................................. 10 3.2.2.3 Swap................................................................................................................ 10 4.0 REFERENCE DOCUMENTS/ WEB SITES ............................................................... 11 APPENDIX A CPU CONSUMPTION ............................................................................ 12 CPU Consumption on PA Processors ........................................................................... 13 CPU Consumption on Itanium Processors ................................................................... 15 APPENDIX B RESIDENT MEMORY CONSUMPTION ............................................ 17 Memory Consumption on PA Processors ..................................................................... 17 Memory Consumption on Itanium Processors ............................................................. 19
HP Company Internal Page 3 of 20
1.3 Glossary
The following are definitions and acronyms used within this document. Definitions Agent - The HIDS sensor that detects intrusions. Event - Any piece of information that is being analyzed by HIDS for intrusions. For example, system call audit records and login records are all delivered to HIDS as events. Surveillance Group A collection of one or more template instances where each instance is of a unique template type. Surveillance Schedule A collection of one or more surveillance groups where each group has its own set of template instances. Template or Circuit Intrusion detection logic that analyzes events. Detects the use of basic attack building blocks or patterns. Template Instance An instance of a template. For example, there can be several instances of the Modification of Files/Directories template, each of which monitors for the modification of different critical files or directories. Template Type Specifies which template logic a template instance implements (e.g., Modification of Files/Directories). Template Properties Configuration {name,value} tuples that are used to parameterize a template instance and change a template instances behavior at run time. Two template instances of the same template type have the same property names but with potentially different property values. If properties are modified for a surveillance schedule that is running, the schedule must be restarted for the new property values to take effect. Acronyms CPU HIDS HP-UX IDDS Central Processing Unit Host Intrusion Detection System Refers to the HP-UX Host IDS product. HPs flavor of Unix Intrusion Detection Data Source - A kernel auditing subsystem on 11.11 and 11.23 specifically designed to provide a source of rich, on-line kernel audit data for HIDS.
HP Company Internal
Page 4 of 20
2.0 OVERVIEW
2.1 Product Overview
HP-UX HIDS is an HP-UX host intrusion detection product that can enhance local host-level security within your network. It does this by automatically monitoring each configured host system within the network for possible signs of unwanted and potentially damaging intrusions. If successful, such intrusions could lead to the loss of availability of key systems or could compromise system integrity. As HIDS continuously examines ongoing activity on a system, it seeks out patterns that might suggest security breaches or misuses. These might include, for example, an attacker attempting to break into or disrupt your system, subversive insider activities, or someone trying to spread a virus. Once you have activated HIDS for a given host system and it detects an intrusion attempt, the host sends an alert to the administrative interface where you can immediately investigate the situation, and when necessary, take action against the intrusion. HIDS also supports customized local responses to, for example, notify the administrator through e-mail or pager.
HIDS performance tuning is limited to: Surveillance schedule configuration Process priority setting
HP Company Internal
Page 5 of 20
Note: These sizing guidelines apply to servers running the HIDS agent sensor and not the HIDS System Manager (GUI).
3.1.3 Memory
As the sustained event load on the server is increased, a greater amount of resident memory may be consumed, especially by the idscor process that dynamically allocates heap memory to store and process events. On systems with a low amount of memory, or with memory contention with other applications, virtual memory/disk I/O (i.e., process swapping) can affect the performance in these circumstances. An additional 40 to 60 MB of memory is recommended for all of the HIDS agents processes.
HP Company Internal
Page 6 of 20
The memory consumption of the HIDS agent processes is charted against the rate of system call audit records (events) in Appendix B.
3.2.1.1.1 Background
A surveillance schedule contains one or more surveillance groups. A surveillance group defines a collection of detection templates, their corresponding configurations, and when the templates are scheduled to run. A detection template may exist in more than one surveillance group, but each surveillance group may have at most one template instance of a particular template. One can configure each detection template in the group with details specific to the threats to protect against. For example, a surveillance group named "WebServer" may contain three templates: Creating SetUID files, Changes to files/directories and Monitor logins/logouts. In this example, the Changes to files/directories template can be configured to monitor the changes to files and directories under /etc/opt/httpd.
HP Company Internal
Page 7 of 20
3.2.1.2 Tuning Process Priority The HIDS idscor process performs the CPU and memory intensive operation of executing the detection templates that process the events. For potentially better event processing throughput, one can allow the idscor process to run with a higher system priority by adjusting the process nice value (see the nice(2) man page).
3.2.1.3 Tuning the HIDS System Manager (GUI) Because the HIDS System Manager is a Java application that can be memory and CPU intensive, it is recommended to run the HIDS System Manager on a dedicated management server. The JVM can, for example, consume over 50% CPU when a user performs operations as simple as opening a new window. Under certain loads, such as when receiving thousands of alerts, the Java Virtual Machine (JVM) running the GUI might log out-of-memory errors in /var/opt/ids/gui/guiError.log or /var/opt/ids/gui/logs/Trace.log. The fix is to increase the maximum heap size of JVM (default is 64MB) in the /opt/ids/bin/idsgui file by adding, for example, -Xmx256m \ after the line "$JAVA_RUN \". In this example, the max heap size is set to 256MB.
HP Company Internal
Page 8 of 20
3.2.2.2.1 enable_idds
This tunable is automatically set to 1 when HIDS is installed. This tunable must be set to 1 in order for IDDS to produce system call audit records that are needed by the HP-UX HIDS file related templates to detect intrusions. This tunable can be set to 0 to disable IDDS.
3.2.2.2.2 max_thread_proc
You need to ensure that the system on which the HIDS System Manager is running provides enough threads per process to handle the maximum number of agent systems you will monitor at one time. See Enabling Over 23 Agents (Thread Limits) in the Configuration Chapter of the HP-UX HIDS Administrators Guide for details.
3.2.2.2.3 tcp_conn_request_max
The HIDS System Manager communicates with agent systems using the TCP protocol. On some systems, the TCP parameter, tcp_conn_request_max, is set initially to allow up to 20 inbound requests to be active at one time. If you have a larger number of agent systems, this value will be inadequate. If this is a problem, an agents error log will contain messages like write_msg: error opening connection to remote host..., open_connection: connect error, and open_connection: Timed out waiting on select() for connect to complete. You can view and change this parameter with the ndd command. See Enabling Over 20 Inbound Requests in the Configuration Chapter of the HP-UX HIDS Administrators Guide for details.
3.2.2.2.4 secure_sid_scripts
Starting with 11i v1.6, the execution of setuid scripts, which is vulnerable to race condition attacks, is prevented if this tunable is set (enabled by default). Enabling this tunable will prevent setuid script
HP Company Internal
Page 9 of 20
race condition attacks, while the HP-UX HIDS Race Condition template will detect them. See the secure_sid_scripts(5) man page for details. Even if the secure_sid_scripts tunable is enabled to prevent setuid script attacks, you might still want to run the Race Condition template to detect other types of race condition attacks (see the Administration Guide in Appendix A for more details on what the Race Condition template detects).
3.2.2.2.5 executable_stack
Starting with 11i v1, this tunable provides comprehensive stack buffer overflow protection by using a combination of highly efficient software and existing memory management hardware. Enabling this tunable will prevent certain stack buffer overflow attacks, while the HP-UX HIDS Buffer Overflow template will attempt to detect them. See the executable_stack(5)man page for details.
3.2.2.2.6 maxdsiz
If the HP-UX HIDS agent error file (/var/opt/ids/error.log) contains out of memory errors, the maximum data segment size may need to be increased. 3.2.2.3 Swap If the HP-UX HIDS agent error file (/var/opt/ids/error.log) contains out of memory errors, the swap space may need to be increased. Run the /usr/bin/swapinfo command to determine your swap usage.
HP Company Internal
Page 10 of 20
HP Company Internal
Page 11 of 20
HP Company Internal
Page 12 of 20
2 Way PA
30000 25000
Events/sec
4 Way PA
30000 25000
Events/sec
HP Company Internal
Page 13 of 20
8 Way PA
30000 25000
Event/sec
16 Way PA
30000 25000
Events/sec
HP Company Internal
Page 14 of 20
2 Way IA
30000 25000
Events/sec
4 Way IA
30000 25000
Events/sec
HP Company Internal
Page 15 of 20
8 Way IA
30000 25000
Events/sec
16 Way IA
30000 25000
Events/sec
HP Company Internal
Page 16 of 20
2 Way PA
30000 25000
Events/sec
20000 15000 10000 5000 0 0 10000 20000 30000 40000 50000 60000 Resident Memory (KB)
4 Way PA
30000 25000
Events/sec
20000 15000 10000 5000 0 41000 42000 43000 44000 45000 46000 47000 Resident Memory (KB)
HP Company Internal
Page 17 of 20
8 Way PA
30000 25000
Events/sec
42000
44000
46000
48000
16 Way PA
30000 25000
Events/sec
20000 15000 10000 5000 0 42000 43000 44000 45000 46000 47000 48000 Resident Memory (KB)
HP Company Internal
Page 18 of 20
2 Way IA
30000 25000
Events/sec
20000 15000 10000 5000 0 0 20000 40000 60000 80000 Resident Memory (KB)
4 Way IA
30000 25000
Events/sec
20000 15000 10000 5000 0 0 20000 40000 60000 80000 REsident memory (KB)
HP Company Internal
Page 19 of 20
8 Way IA
30000 25000
Events/sec
20000 15000 10000 5000 0 0 20000 40000 60000 80000 Resident Memory (KB)
16 Way IA
30000 25000
Events/sec
20000 15000 10000 5000 0 0 20000 40000 60000 80000 Resident Memory (KB)
HP Company Internal
Page 20 of 20