Manualshelf

HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
161162163164165166167168169170
Example 5 Disabling Remote Networking
#!/usr/bin/sh
## Sample HP-UX HIDS alert response script
# Disable networking on the system as an extreme response
# to a remotely launched intrusion. RECIPIENT="root"
# If there is a file modification alert if [ $1 = "2" ]
# then
# And if the target of the attack is the password file if
# [ ${17} = "/etc/passwd" ]; then echo "Critical
intrusion: halting
# networking n$8" \ | /usr/bin/mailx -s "$7" ${RECIPIENT}
# /sbin/init.d/inetd stop fi fi
Preserving Evidence
Consult your local legal counsel to determine what steps must be taken to preserve evidence for
use in court. The example scripts presented below do not meet the legal requirements for preservation
of evidence.
Putting a Process to Sleep
You can preserve evidence of an intrusion for later analysis. In this example, a process that caused
an alert is stopped. Any activity by the process is halted, and the process memory image can be
analyzed at a later time.
IMPORTANT: This script requires privileges and must not be installed as a setuid privileged
script. This script is for illustration purposes only. For instructions on safely writing a privileged
response program, see “Writing Privileged Response Programs (page 156).
Example 6 Putting a Process to Sleep
#!/usr/bin/sh
## Sample HP-UX HIDS alert response script
## Stop a process that has performed an intrusive
activity
RECIPIENT=root
# If we have a file modification alert
if [ $1 = 2 ]
then
# And if the target of the attack is the password file
if [ ${17} = /etc/passwd ];
then
# Obtain the process ID from the alert
pid=${11}
echo Critical intrusion: halting process ${pid}
running ${24 } that modified /etc/passwd
| /usr/bin/mailx -s $7 ${RECIPIENT}
kill -STOP ${pid}
fi
Snapshot of Critical System State
Extending the previous example, this script takes a snapshot of critical system state information
that can be used for later analysis. The snapshot captures the following information:
Currently executing process list
Who is logged into the system
A record of login and logout attempts
List of active network connections
Sample Response Programs 163