HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
System Restoration to a Stable state
Intruders often replace key system configuration files during an attack. This sample
script shows how to replace those files with clean versions that are mounted on a
CD-ROM drive. Assume that the CDROM is mounted on /cdrom.
IMPORTANT: This script requires privilege and must not be installed as a setuid
privileged script. This script is for illustration purposes only. For instructions on safely
writing a privileged response program, see “Writing Privileged Response Programs”
(page 202).
NOTE: This script is a simple example, and does not take into account many factors,
such as:
• Whether the configuration files are in use
• Whether daemons must be restarted to reread file contents
• Has an attacker planted symbolic links to redirect contents to a different location
You must consider these factors when designing a complete response scenario.
Example B-8 Restoring Safe Copies of Files
#!/usr/bin/sh
# Sample HP-UX HIDS alert response script
# Restore “good” copies of files to the /etc directory if
any # modifications occur
RECIPIENT=”root”
# Setting the umask to a “sane” value
umask 077
# If there is a file modification alert
if [ $1 = “2” ]
then
# And if the target of the attack is a file in /etc
match=`echo ${17} | grep “^/etc/..*”`
if [ “$match” != ““ ]
then
echo “System configuration was modified: restoring from
backup CD\n” \| /usr/bin/mailx -s “$7” ${RECIPIENT}
cp -rf /cdrom/etc/* /etc
fi
fi
HP OpenView Operations SMART Plug-In
For customers of HP OpenView Operations (OVO), a SMART Plug-In OVO
HPUX_HIDS-SPI is available. By relaying messages from the HP-UX HIDS agent to
the OVO message interceptor residing on the same host, HP-UX HIDS enables you to
manage HP-UX HIDS alerts directly from the OpenView management server.
216 Automated Response for Alerts