Host Intrusion Detection System Administrator's Guide Release 3.0
Automated Response
How Automated Response Works in HP-UX HIDS
Appendix B
185
How Automated Response Works in HP-UX HIDS
The Alert Process
When the agent generates an alert,
1. The agent stores the alert in a local log file whose pathname is defined by the
IDS_ALERTFILE configuration variable (default is /var/opt/ids/alert.log). See
Chapter, “The Agent Configuration File,” on page 215
2. If it is communicating with the System Manager, the agent sends the alert to the
System Manager.
3. The agent looks for executable files in the directory defined by the
IDS_RESPONSE_DIR configuration variable. The default directory is
/opt/ids/response. See “The Agent Configuration File” on page 205.
The agent can execute up to 50 files. If there are more than that in
IDS_RESPONSE_DIR, the agent selects 50 ordinary files each time an alert is
generated and ignores the rest.
4. For each executable file, the agent sets certain environment variables and passes the
alert details as command-line parameters.
5. The agent executes the files one at a time in ASCII sorted order but does not wait for
them to terminate.
Security checks
These rules apply to the response directory and its files:
❏ If the response directory fails these checks, then no response program is run.
• The directory must not be world-writable (not writable by “other”).
• The directory must be owned by user ids.
• The directory must be local; it cannot be a symbolic link, a pipe, NFS-mounted,
etc.
❏ If a response program fails these checks, then it is not run.
• A file in the response directory must be a local regular file; it cannot be a
symbolic link, a pipe, NFS-mounted, etc.
• A file in the response directory must not be world-writable (not writable by
“other”).
Programming Notes
1. Your response program will run with the same user ID as the HP-UX HIDS agent.
While this is not a privileged user ID, you must realize that you can modify and
delete HP-UX HIDS files. Pay attention to security issues when considering your
alert response design.