HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

Preserving Evidence

Consult your local legal counsel to determine what steps must be taken to preserve evidence for

use in court. The example scripts presented below do not meet the legal requirements for

preservation of evidence.

Putting a Process to Sleep

You can preserve evidence of an intrusion for later analysis. In this example, a process that caused

an alert is stopped. Any activity by the process is halted, and the process memory image can be

analyzed at a later time.

IMPORTANT: This script requires privileges and must not be installed as a setuid privileged

script. This script is for illustration purposes only. For instructions on safely writing a privileged

response program, see “Writing Privileged Response Programs” (page 167).

Example B-6 Putting a Process to Sleep

#!/usr/bin/sh

## Sample HP-UX HIDS alert response script

## Stop a process that has performed an intrusive

activity

RECIPIENT=”root”

# If we have a file modification alert

if [ $1 = “2” ]

then

# And if the target of the attack is the password file

if [ ${17} = “/etc/passwd” ];

then

# Obtain the process ID from the alert

pid=${11}

echo “Critical intrusion: halting process ${pid}

running ${24 } that modified /etc/passwd”

| /usr/bin/mailx -s “$7” ${RECIPIENT}

kill -STOP ${pid}

Sample Response Programs 175