Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP Host Intrusion Detection System (HIDS)
201202203204205206207208209210
Automated Response
Sample Response Programs
Appendix B
198
Halting any further attacks
Disabling a user's account If a particular user account is generating many alerts, it
may be necessary to disable further logins on that account. This script shows how to
achieve that.
IMPORTANT This script requires privilege and should not be installed as a setuid privileged script.
This script is for illustration purposes only. Please refer to “Writing Privileged Response
Programs” on page 190 for help on how to safely write a privileged response program.
#!/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Disable a user’s account if they fail to su to root
RECIPIENT=”root”
# If we have a failed su attempt then determine the user
if[$1=“9”]
then
# The offending user is in parameter $12
username=${12}
echo “Disabling account for ${username}” \
| /usr/bin/mailx -s “$7” ${RECIPIENT}
# Rather than deleting the account, just disable the shell
/usr/sbin/usermod -s /usr/bin/false ${username} 1> /dev/null 2>&1
# Determine if usermod was successful.
if[$?!=0]
then
# User is probably still logged in. Kill all user’s processes
echo “Killing all processes owned by ${username}.”
pids=`ps -ef | grep ${username} | grep -v “grep ${username}” | cut -f 2 -d
““`
if [ “${pids}” != ““ ]
then
echo ${pids} | xargs kill -9
sleep 1
fi
# Attempt to disable the account again
/usr/sbin/usermod -s /usr/bin/false ${username}
fi
fi