Administrator's Guide
Automated Response
Sample Response Programs
Appendix B
202
Restoration of a known “good” state
Restoring “safe” copies of files Intruders will often replace key system configuration
files during an attack. This sample script shows how to replace those files with clean
versions that are mounted on a CDROM drive. We assume that the CDROM is mounted
on /cdrom.
IMPORTANT This script requires privilege and should not be installed as a setuid privileged script.
This script is for illustration purposes only. Please refer to “Writing Privileged Response
Programs” on page 190 for help on how to safely write a privileged response program.
NOTE This script is a simple example, and does not take into account many factors, such as:
• Are the configuration files in use,
• Will daemons have to be restarted to re-read file contents,
• Has an attacker planted symbolic links to redirect contents to a different location.
You must consider these factors when designing a complete response capability.
#!/usr/bin/sh
## Sample HP-UX HIDS alert response script
# Restore “good” copies of files to the /etc directory if any modifications
# occur
RECIPIENT=”root”
# Setting the umask to a “sane” value
umask 077
# If we have a file modification alert
if[$1=“2”]
then
# and if the target of the attack is a file in /etc
match=`echo ${17} | grep “^/etc/..*”`
if [ “$match” != ““ ]
then
echo “System configuration was modified: restoring from backup CD\n” \
| /usr/bin/mailx -s “$7” ${RECIPIENT}
cp -rf /cdrom/etc/* /etc
fi
fi