HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
IMPORTANT: This script requires privilege and must not be installed as a setuid privileged script.
This script is for illustration purposes only. For instructions on safely writing a privileged response
program, see “Writing Privileged Response Programs” (page 158).
Example 4 Disabling a User Account
#!/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Disable a user’s account if they fail to su to root
RECIPIENT=”root”
# If there is a failed su attempt then determine the user
if [ $1 = “9” ]
then
# The offending user is in parameter $12
username=${12}
echo “Disabling account for ${username}” \|
/usr/bin/mailx -s “$7” ${RECIPIENT}
# Rather than deleting the account, disable the shell
/usr/sbin/usermod -s /usr/bin/false ${username} 1>
/dev/null 2>&1
# Determine if usermod was successful
if [ $? != 0 ]
then
# User is probably still logged in. Kill all user’s
processes
echo “Killing all processes owned by ${username}.”
pids=`ps -ef | grep ${username} | grep -v “grep
${username}” | cut -f 2 -d`
if [ “${pids}” != ““ ]
then
echo ${pids} | xargs kill -9
sleep 1
fi
# Attempt to disable the account again
/usr/sbin/usermod -s /usr/bin/false ${username}
fi
fi
Disable Remote Networking
If you have determined that an intrusion is originating from a remote location, the following script
disables networking on the system.
164 Automated Response for Alerts