Manualshelf

HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
161162163164165166167168169170
Example 2 Sending Alerts Through e-mail
#!/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Send an e-mail to root if a severity 1 alert is received
# Replace this comment with the target e-mail address
RECIPIENT=root
# If there is a severity 1 alert then send the details in
#e-mail
if [ $3 = 1 ]
then
echo $8 | /usr/bin/mailx -s $7 ${RECIPIENT}
fi
Logging to a Central syslog Server
While the HP-UX HIDS System Manager provides a central location for alerts, you can also log
alerts to a syslog server. The following script shows how this can be done.
Example 3 Storing Alerts in Log Files
#!/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Send a message to syslog containing the alert
# If there is a severity 1 alert then log the alert to
syslog
if [ $3 = 1 ]
then
/usr/bin/logger -t HP-UX HIDS $8
fi
NOTE: Administrators can also use the following HP-supported options:
Consolidate alerts to a central log using syslog-ng with clog_tail
Generate alert reports using the idsadmin --report feature. For more information on the
idsadmin --report feature, see “Generating Alert Reports Using the idsadmin Command”
(page 176).
Halting Further Attacks
The response script program can stop subsequent attacks on a system either by disabling a user’s
account or by disabling the remote network connection.
Disabling a user's account
If a particular user account is generating many alerts, it may be necessary to disable further logins
on that account. The following script shows how to achieve that.
Sample Response Programs 163