HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Snapshot of Critical System State
Extending the previous example, this script takes a snapshot of critical system state
information that can be used for later analysis. The snapshot captures the following
information:
• Currently executing process list
• Who is logged into the system
• A record of login and logout attempts
• List of active network connections
Example B-7 Taking a Snapshot of Critical System State
# !/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Take a snapshot of important system state information
# when the intrusion occurred.
# State information is stored in a snapshot file with the
# UTC time of the intrusion alert appended to it.
RECIPIENT=”root”
# Set the umask to a “sane” value
umask 077
file=”/var/opt/ids/tmp/snapshot.$4”
# Title line
echo “System state after potential intrusion:
n$8” > ${file}
# ps output
echo “\n---------- nList of currently executing
processes:
n” >> ${file}
ps -ef >> ${file}
# Who is logged in
echo “\n---------- nList of currently logged in users:
n” >> ${file}
/usr/bin/who >> ${file}
# Record of login and logout
echo “\n---------- nLast login/logout activity:” >>
${file}
/usr/bin/last >> ${file}
# Active network connections
echo “\n---------- nActive network connections
(netstat -a):\n” >> ${file}
/usr/bin/netstat -a >> ${file}
Sample Response Programs 215