IDS/9000 Overhead

Alex Gayainsky · ‎03-22-2002

Hi,

I succeeded to install IDS/9000 v2 on our
server & run it. But now I have performance
problem.

Process "idssysdsp" that tracks log files does "su root" all the time. We have "CA Access
Control" installed on server. "Access Control"
catches every "su" & proceede it thru its own
checks. As a result, CPU usage jumps to the
sky.

Do you know any way to run "idssysdsp" as root and not "ids" to prevent su execution ?

Thanks a lot,
Alex

Alex

Pierre Pasturel · ‎03-22-2002

idssysdsp is a setuid-root program which runs with euid of ids (non-privileged user) most of the time and calls setresuid() to set its effective uid to root only when it needs the privilege to open a root owned log file. This privilege bracketing is a common security practice, and running idssysdsp with real uid of root would defeat the purpose.

The idsagent main process which execs the idsssysdsp program makes sure the file is owned by ids:ids and will refuse to fork and exec it
if it is not owned by ids:ids.

This is core to the IDS design of running with as few privileges as possible.

I do not have access to the CA Access Control documentation. Do they allow you to filter out events such as setresuid?

Pierre
IDS/9000
HP

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

IDS/9000 Overhead

IDS/9000 Overhead

Re: IDS/9000 Overhead