topic Re: IDS/9000 Overhead in Operating System - HP-UX https://community.hpe.com/t5/operating-system-hp-ux/ids-9000-overhead/m-p/2689326#M756875 idssysdsp is a setuid-root program which runs with euid of ids (non-privileged user) most of the time and calls setresuid() to set its effective uid to root only when it needs the privilege to open a root owned log file. This privilege bracketing is a common security practice, and running idssysdsp with real uid of root would defeat the purpose.<BR /><BR />The idsagent main process which execs the idsssysdsp program makes sure the file is owned by ids:ids and will refuse to fork and exec it<BR />if it is not owned by ids:ids.<BR /><BR />This is core to the IDS design of running with as few privileges as possible. <BR /><BR />I do not have access to the CA Access Control documentation. Do they allow you to filter out events such as setresuid?<BR /><BR />Pierre<BR />IDS/9000<BR />HP Fri, 22 Mar 2002 19:41:44 GMT Pierre Pasturel 2002-03-22T19:41:44Z IDS/9000 Overhead https://community.hpe.com/t5/operating-system-hp-ux/ids-9000-overhead/m-p/2689325#M756874 Hi, <BR /><BR />I succeeded to install IDS/9000 v2 on our <BR />server &amp; run it. But now I have performance <BR />problem. <BR /><BR />Process "idssysdsp" that tracks log files does "su root" all the time. We have "CA Access <BR />Control" installed on server. "Access Control" <BR />catches every "su" &amp; proceede it thru its own <BR />checks. As a result, CPU usage jumps to the <BR />sky. <BR /><BR />Do you know any way to run "idssysdsp" as root and not "ids" to prevent su execution ? <BR /><BR />Thanks a lot, <BR />Alex <BR /> Fri, 22 Mar 2002 16:31:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/ids-9000-overhead/m-p/2689325#M756874 Alex Gayainsky 2002-03-22T16:31:31Z Re: IDS/9000 Overhead https://community.hpe.com/t5/operating-system-hp-ux/ids-9000-overhead/m-p/2689326#M756875 idssysdsp is a setuid-root program which runs with euid of ids (non-privileged user) most of the time and calls setresuid() to set its effective uid to root only when it needs the privilege to open a root owned log file. This privilege bracketing is a common security practice, and running idssysdsp with real uid of root would defeat the purpose.<BR /><BR />The idsagent main process which execs the idsssysdsp program makes sure the file is owned by ids:ids and will refuse to fork and exec it<BR />if it is not owned by ids:ids.<BR /><BR />This is core to the IDS design of running with as few privileges as possible. <BR /><BR />I do not have access to the CA Access Control documentation. Do they allow you to filter out events such as setresuid?<BR /><BR />Pierre<BR />IDS/9000<BR />HP Fri, 22 Mar 2002 19:41:44 GMT https://community.hpe.com/t5/operating-system-hp-ux/ids-9000-overhead/m-p/2689326#M756875 Pierre Pasturel 2002-03-22T19:41:44Z