HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

161

162

163

164

165

166

167

168

169

170

Example 4 Disabling a User Account

#!/usr/bin/sh

# Sample HP-UX HIDS alert response script

# Disable a user’s account if they fail to su to root

RECIPIENT=”root”

# If there is a failed su attempt then determine the user

if [ $1 = “9” ]

then

# The offending user is in parameter $12

username=${12}

echo “Disabling account for ${username}” \|

/usr/bin/mailx -s “$7” ${RECIPIENT}

# Rather than deleting the account, disable the shell

/usr/sbin/usermod -s /usr/bin/false ${username} 1>

/dev/null 2>&1

# Determine if usermod was successful

if [ $? != 0 ]

then

# User is probably still logged in. Kill all user’s

processes

echo “Killing all processes owned by ${username}.”

pids=`ps -ef | grep ${username} | grep -v “grep

${username}” | cut -f 2 -d`

if [ “${pids}” != ““ ]

then

echo ${pids} | xargs kill -9

sleep 1

# Attempt to disable the account again

/usr/sbin/usermod -s /usr/bin/false ${username}

Disable Remote Networking

If you have determined that an intrusion is originating from a remote location, the following script

disables networking on the system.

IMPORTANT: This script requires privileges and must not be installed as a setuid privileged

script. This script is for illustration purposes only. For instructions on safely writing a privileged

response program, see “Writing Privileged Response Programs” (page 156).

NOTE: The agent cannot make new connections to the HP-UX HIDS System Manager, and you

must log in to the system at the console. Any existing connection remains open, but new connections

handled by inetd are refused.

162 Automated Response for Alerts