HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
IMPORTANT: This script requires privilege and must not be installed as a setuid
privileged script. This script is for illustration purposes only. For instructions on safely
writing a privileged response program, see “Writing Privileged Response Programs”
(page 202).
Example B-4 Disabling a User Account
#!/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Disable a user’s account if they fail to su to root
RECIPIENT=”root”
# If there is a failed su attempt then determine the user
if [ $1 = “9” ]
then
# The offending user is in parameter $12
username=${12}
echo “Disabling account for ${username}” \|
/usr/bin/mailx -s “$7” ${RECIPIENT}
# Rather than deleting the account, disable the shell
/usr/sbin/usermod -s /usr/bin/false ${username} 1>
/dev/null 2>&1
# Determine if usermod was successful
if [ $? != 0 ]
then
# User is probably still logged in. Kill all user’s
processes
echo “Killing all processes owned by ${username}.”
pids=`ps -ef | grep ${username} | grep -v “grep
${username}” | cut -f 2 -d`
if [ “${pids}” != ““ ]
then
echo ${pids} | xargs kill -9
sleep 1
fi
# Attempt to disable the account again
/usr/sbin/usermod -s /usr/bin/false ${username}
fi
fi
212 Automated Response for Alerts