Manualshelf

HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
161162163164165166167168169170
IMPORTANT: This script requires privileges and must not be installed as a setuid privileged
script. This script is for illustration purposes only. For instructions on safely writing a privileged
response program, see “Writing Privileged Response Programs (page 158).
Example 6 Putting a Process to Sleep
#!/usr/bin/sh
## Sample HP-UX HIDS alert response script
## Stop a process that has performed an intrusive
activity
RECIPIENT=root
# If we have a file modification alert
if [ $1 = 2 ]
then
# And if the target of the attack is the password file
if [ ${17} = /etc/passwd ];
then
# Obtain the process ID from the alert
pid=${11}
echo Critical intrusion: halting process ${pid}
running ${24 } that modified /etc/passwd
| /usr/bin/mailx -s $7 ${RECIPIENT}
kill -STOP ${pid}
fi
Snapshot of Critical System State
Extending the previous example, this script takes a snapshot of critical system state information
that can be used for later analysis. The snapshot captures the following information:
Currently executing process list
Who is logged into the system
A record of login and logout attempts
List of active network connections
166 Automated Response for Alerts