HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
B Automated Response for Alerts
This appendix describes how to use response programs to process alerts automatically
according to your installation policy. It includes a sample C program, several sample
response scripts, and information about a prepackaged response program that
communicates with HP OpenView VantagePoint Operations. This appendix addresses
the following topics:
• “How Automated Response Works in HP-UX HIDS” (page 192)
• “Programming Guidelines” (page 201)
• “Sample Response Programs” (page 207)
• “HP OpenView Operations SMART Plug-In” (page 216)
Response programs enable you to capture alerts automatically as they are generated
by the HP-UX HIDS agent, and to use your own tools to process them and make
decisions, such as alerting a system administrator about a potential intrusion. Response
programs work in addition to the normal agent-administration interface of HP-UX
HIDS, in which alerts are reported to the System Manager process on the administration
system.
The response programs are executed on the agent system that generates the alert, thus
enabling near real-time intrusion response in the face of potential misuse.
Consider the following guidelines when responding to an intrusion attempt on a system:
• Do not do anything that is illegal in your region of the world.
Consult your local legal counsel before devising response strategies.
• Balance the response against the threat.
Not every target of an attack justifies an equal response; configure responses in
proportion to threats.
• Determine whether attack isolation is more important than continuous availability.
In response to an attack, you can disable networking on a server to isolate it from
further attacks. This isolation also serves to preserve any evidence of an intrusion.
However, by isolating the server, you can interfere with legitimate business
activities.
191