HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

Modification of Another User’s File Template............................................................................136

Non-Owned File Being Modified.......................................................................................137

Failed Attempt to Modify Non-Owned Files.........................................................................138

Login/Logout Template..........................................................................................................139

Login/Logout...................................................................................................................141

Successful su Detected......................................................................................................142

Repeated Failed Logins Template............................................................................................143

Failed Login Attempts.......................................................................................................144

Repeated Failed su Commands Template.................................................................................146

Repeated Failed su Attempts..............................................................................................146

Log File Monitoring Template.................................................................................................147

Log File Monitoring..........................................................................................................149

B Automated Response for Alerts.................................................................150

Response Methods................................................................................................................150

How Automated Response Works in HP-UX HIDS......................................................................151

Alert Process...................................................................................................................151

Security Checks...............................................................................................................151

Programming Notes.........................................................................................................151

Programming Guidelines.......................................................................................................157

Perl Versus Shell Response Scripts.......................................................................................157

Writing Privileged Response Programs................................................................................158

Code Examples...............................................................................................................158

Solution A..................................................................................................................159

Code for scriptA.sh.................................................................................................159

Code for privA Program..........................................................................................159

Solution B..................................................................................................................160

Code for privB program..........................................................................................160

Solution C..................................................................................................................161

Code for the privC Program.....................................................................................161

Code for the scriptC.sh Script...................................................................................161

Sample Response Programs...................................................................................................162

Sample C Language Program Source Code ........................................................................162

Sample Shell Script Alert Responses...................................................................................162

Forwarding Information................................................................................................162

Sending an e-mail..................................................................................................162

Logging to a Central syslog Server............................................................................163

Halting Further Attacks.................................................................................................163

Disabling a user's account.......................................................................................163

Disable Remote Networking.....................................................................................164

Preserving Evidence.....................................................................................................165

Putting a Process to Sleep........................................................................................165

Snapshot of Critical System State..............................................................................166

System Restoration to a Stable state...............................................................................167

HP OpenView Operations SMART Plug-In................................................................................168

OVO Enablement in HP-UX HIDS.......................................................................................169

C Tuning Schedules and Generating Alert Reports.........................................170

Tuning Schedules Using the idsadmin Command......................................................................170

Functioning of the tune Command......................................................................................170

During Initial Deployment.............................................................................................170

After HIDS Deployment................................................................................................170

Schedule Tuning Process...................................................................................................171

Contents 7