Manualshelf

HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
161162163164165166167168169170
IMPORTANT: This script requires privilege and must not be installed as a setuid privileged
script. This script is for illustration purposes only. For instructions on safely writing a privileged
response program, see “Writing Privileged Response Programs (page 158).
NOTE: This script is a simple example, and does not take into account many factors, such as:
Whether the configuration files are in use
Whether daemons must be restarted to reread file contents
Has an attacker planted symbolic links to redirect contents to a different location
You must consider these factors when designing a complete response scenario.
Example 8 Restoring Safe Copies of Files
#!/usr/bin/sh
# Sample HP-UX HIDS alert response script
# Restore good copies of files to the /etc directory if
any # modifications occur
RECIPIENT=root
# Setting the umask to a sane value
umask 077
# If there is a file modification alert
if [ $1 = 2 ]
then
# And if the target of the attack is a file in /etc
match=`echo ${17} | grep ^/etc/..*`
if [ $match != ““ ]
then
echo System configuration was modified: restoring from
backup CD\n \| /usr/bin/mailx -s $7 ${RECIPIENT}
cp -rf /cdrom/etc/* /etc
fi
fi
HP OpenView Operations SMART Plug-In
For customers of HP OpenView Operations (OVO), a SMART Plug-In OVO HPUX_HIDS-SPI is
available. By relaying messages from the HP-UX HIDS agent to the OVO message interceptor
residing on the same host, HP-UX HIDS enables you to manage HP-UX HIDS alerts directly from
the OpenView management server.
The OVO HPUX_HIDS-SPI components include the following:
Templates designed to monitor important log files, vital processes, and real time alerts generated
by HP-UX HIDS.
Templates that enable monitoring of the application’s overall availability.
Applications that enable you to query the status of HP-UX HIDS, and start and stop the HP-UX
HIDS System Manager.
OVO HPUX_HIDS-SPI can be used with both the OVO X-Motif-based Operator GUI and the OVO
Java-based Operator GUI.
The HPUX_HIDS-SPI SMART Plug-In is available for download from the OpenView SPI Gallery
website at: http://managementsoftware.hp.com/downloads/spis.html. Select “SPI
Gallery” and choose the HP-UX HIDS plug-in from the list.
The OVO HPUX_HIDS-SPI has been certified by HP for OVO V5.x as well as V6.x, and is known
to work with OVO V7.1. A future HPUX_HIDS-SPI release is being planned for certification with
OVO V8.
168 Automated Response for Alerts