Manualshelf

HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
161162163164165166167168169170
Example 7 Taking a Snapshot of Critical System State
# !/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Take a snapshot of important system state information
# when the intrusion occurred.
# State information is stored in a snapshot file with the
# UTC time of the intrusion alert appended to it.
RECIPIENT=root
# Set the umask to a sane value
umask 077
file=/var/opt/ids/tmp/snapshot.$4
# Title line
echo System state after potential intrusion:
n$8 > ${file}
# ps output
echo \n---------- nList of currently executing
processes:
n >> ${file}
ps -ef >> ${file}
# Who is logged in
echo \n---------- nList of currently logged in users:
n >> ${file}
/usr/bin/who >> ${file}
# Record of login and logout
echo \n---------- nLast login/logout activity: >>
${file}
/usr/bin/last >> ${file}
# Active network connections
echo \n---------- nActive network connections
(netstat -a):\n >> ${file}
/usr/bin/netstat -a >> ${file}
System Restoration to a Stable state
Intruders often replace key system configuration files during an attack. This sample script shows
how to replace those files with clean versions that are mounted on a CD-ROM drive. Assume that
the CDROM is mounted on /cdrom.
Sample Response Programs 167