HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Preserving Evidence
Consult your local legal counsel to determine what steps must be taken to preserve
evidence for use in court. The example scripts presented below do not meet the legal
requirements for preservation of evidence.
Putting a Process to Sleep
You can preserve evidence of an intrusion for later analysis. In this example, a process
that caused an alert is stopped. Any activity by the process is halted, and the process
memory image can be analyzed at a later time.
IMPORTANT: This script requires privileges and must not be installed as a setuid
privileged script. This script is for illustration purposes only. For instructions on safely
writing a privileged response program, see “Writing Privileged Response Programs”
(page 202).
Example B-6 Putting a Process to Sleep
#!/usr/bin/sh
## Sample HP-UX HIDS alert response script
## Stop a process that has performed an intrusive
activity
RECIPIENT=”root”
# If we have a file modification alert
if [ $1 = “2” ]
then
# And if the target of the attack is the password file
if [ ${17} = “/etc/passwd” ];
then
# Obtain the process ID from the alert
pid=${11}
echo “Critical intrusion: halting process ${pid}
running ${24 } that modified /etc/passwd”
| /usr/bin/mailx -s “$7” ${RECIPIENT}
kill -STOP ${pid}
fi
214 Automated Response for Alerts