HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

191

192

193

194

195

196

197

198

199

200

Response Methods

Responses to intrusions use one of the following methods.

• Forwarding Information

Information about the alert can be forwarded by sending an email or calling a

pager. Filtering is required to prevent repeated alerts from causing a storm of

pages. For examples, see “Forwarding Information” (page 209).

• Halting Further Attacks

Automated response can halt further attacks by changing an attribute of the system.

For example, disabling an account, disabling remote logins, or changing a

directory's access permissions. For examples, see “Halting Further Attacks”

(page 211).

• Preservation of Evidence

If evidence is to be preserved and analyzed, a response script can halt all further

processing on the system. Alternatively, it can disable network connections so that

the system is preserved in a running state. For examples, see “Preserving Evidence”

(page 214).

• System Restoration to a Stable State

If business continuity is important, the system must be restored to a stable state.

If critical files are modified, they can be restored from trusted read-only media.

For examples, see “System Restoration to a Stable state” (page 216).

How Automated Response Works in HP-UX HIDS

This section discusses how the response programs handle the agent alerts.

Alert Process

When the agent generates an alert, the following actions occur:

1. The agent stores the alert in a local log file with a path name defined by the

IDS_ALERTFILE configuration variable. The default is

/var/opt/ids/alert.log. For information, see “The Agent Configuration

File” (page 239).

2. If it is communicating with the System Manager, the agent sends the alert to the

System Manager.

3. The agent looks for executable files in the directory defined by the

IDS_RESPONSE_DIR configuration variable. The default directory is

/opt/ids/response. For more information, see “The Agent Configuration File”

(page 239)

The agent can execute up to 50 files. If there are more than 50 files in the

IDS_RESPONSE_DIR, the agent selects 50 ordinary files each time an alert is

generated and ignores the rest.

192 Automated Response for Alerts