HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

System Restoration to a Stable state

Intruders often replace key system configuration files during an attack. This sample script shows

how to replace those files with clean versions that are mounted on a CD-ROM drive. Assume

that the CDROM is mounted on /cdrom.

IMPORTANT: This script requires privilege and must not be installed as a setuid privileged

script. This script is for illustration purposes only. For instructions on safely writing a privileged

response program, see “Writing Privileged Response Programs” (page 167).

NOTE: This script is a simple example, and does not take into account many factors, such as:

• Whether the configuration files are in use

• Whether daemons must be restarted to reread file contents

• Has an attacker planted symbolic links to redirect contents to a different location

You must consider these factors when designing a complete response scenario.

Example B-8 Restoring Safe Copies of Files

#!/usr/bin/sh

# Sample HP-UX HIDS alert response script

# Restore “good” copies of files to the /etc directory if

any # modifications occur

RECIPIENT=”root”

# Setting the umask to a “sane” value

umask 077

# If there is a file modification alert

if [ $1 = “2” ]

then

# And if the target of the attack is a file in /etc

match=`echo ${17} | grep “^/etc/..*”`

if [ “$match” != ““ ]

then

echo “System configuration was modified: restoring from

backup CD\n” \| /usr/bin/mailx -s “$7” ${RECIPIENT}

cp -rf /cdrom/etc/* /etc

HP OpenView Operations SMART Plug-In

For customers of HP OpenView Operations (OVO), a SMART Plug-In OVO HPUX_HIDS-SPI is

available. By relaying messages from the HP-UX HIDS agent to the OVO message interceptor

residing on the same host, HP-UX HIDS enables you to manage HP-UX HIDS alerts directly

from the OpenView management server.

The OVO HPUX_HIDS-SPI components include the following:

• Templates designed to monitor important log files, vital processes, and real time alerts

generated by HP-UX HIDS.

• Templates that enable monitoring of the application’s overall availability.

• Applications that enable you to query the status of HP-UX HIDS, and start and stop the

HP-UX HIDS System Manager.

OVO HPUX_HIDS-SPI can be used with both the OVO X-Motif-based Operator GUI and the

OVO Java-based Operator GUI.

The HPUX_HIDS-SPI SMART Plug-In is available for download from the OpenView SPI Gallery

website at: http://managementsoftware.hp.com/downloads/spis.html. Select “SPI

Gallery” and choose the HP-UX HIDS plug-in from the list.

HP OpenView Operations SMART Plug-In 177