HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
IMPORTANT: This script requires privileges and must not be installed as a setuid privileged
script. This script is for illustration purposes only. For instructions on safely writing a privileged
response program, see “Writing Privileged Response Programs” (page 158).
NOTE: The agent cannot make new connections to the HP-UX HIDS System Manager, and you
must log in to the system at the console. Any existing connection remains open, but new connections
handled by inetd are refused.
Example 5 Disabling Remote Networking
#!/usr/bin/sh
## Sample HP-UX HIDS alert response script
# Disable networking on the system as an extreme response
# to a remotely launched intrusion. RECIPIENT="root"
# If there is a file modification alert if [ $1 = "2" ]
# then
# And if the target of the attack is the password file if
# [ ${17} = "/etc/passwd" ]; then echo "Critical
intrusion: halting
# networking n$8" \ | /usr/bin/mailx -s "$7" ${RECIPIENT}
# /sbin/init.d/inetd stop fi fi
Preserving Evidence
Consult your local legal counsel to determine what steps must be taken to preserve evidence for
use in court. The example scripts presented below do not meet the legal requirements for preservation
of evidence.
Putting a Process to Sleep
You can preserve evidence of an intrusion for later analysis. In this example, a process that caused
an alert is stopped. Any activity by the process is halted, and the process memory image can be
analyzed at a later time.
Sample Response Programs 165