HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

Halting Further Attacks

The response script program can stop subsequent attacks on a system either by disabling a user’s

account or by disabling the remote network connection.

Disabling a user's account

If a particular user account is generating many alerts, it may be necessary to disable further logins

on that account. The following script shows how to achieve that.

IMPORTANT: This script requires privilege and must not be installed as a setuid privileged

script. This script is for illustration purposes only. For instructions on safely writing a privileged

response program, see “Writing Privileged Response Programs” (page 167).

Example B-4 Disabling a User Account

#!/usr/bin/sh

# Sample HP-UX HIDS alert response script

# Disable a user’s account if they fail to su to root

RECIPIENT=”root”

# If there is a failed su attempt then determine the user

if [ $1 = “9” ]

then

# The offending user is in parameter $12

username=${12}

echo “Disabling account for ${username}” \|

/usr/bin/mailx -s “$7” ${RECIPIENT}

# Rather than deleting the account, disable the shell

/usr/sbin/usermod -s /usr/bin/false ${username} 1>

/dev/null 2>&1

# Determine if usermod was successful

if [ $? != 0 ]

then

# User is probably still logged in. Kill all user’s

processes

echo “Killing all processes owned by ${username}.”

pids=`ps -ef | grep ${username} | grep -v “grep

${username}” | cut -f 2 -d`

if [ “${pids}” != ““ ]

then

echo ${pids} | xargs kill -9

sleep 1

# Attempt to disable the account again

/usr/sbin/usermod -s /usr/bin/false ${username}

Sample Response Programs 173