HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
Example 7 Taking a Snapshot of Critical System State
# !/usr/bin/sh
#
# Sample HP-UX HIDS alert response script
#
# Take a snapshot of important system state information
# when the intrusion occurred.
# State information is stored in a snapshot file with the
# UTC time of the intrusion alert appended to it.
RECIPIENT=”root”
# Set the umask to a “sane” value
umask 077
file=”/var/opt/ids/tmp/snapshot.$4”
# Title line
echo “System state after potential intrusion:
n$8” > ${file}
# ps output
echo “\n---------- nList of currently executing
processes:
n” >> ${file}
ps -ef >> ${file}
# Who is logged in
echo “\n---------- nList of currently logged in users:
n” >> ${file}
/usr/bin/who >> ${file}
# Record of login and logout
echo “\n---------- nLast login/logout activity:” >>
${file}
/usr/bin/last >> ${file}
# Active network connections
echo “\n---------- nActive network connections
(netstat -a):\n” >> ${file}
/usr/bin/netstat -a >> ${file}
System Restoration to a Stable state
Intruders often replace key system configuration files during an attack. This sample script shows
how to replace those files with clean versions that are mounted on a CD-ROM drive. Assume that
the CDROM is mounted on /cdrom.
IMPORTANT: This script requires privilege and must not be installed as a setuid privileged
script. This script is for illustration purposes only. For instructions on safely writing a privileged
response program, see “Writing Privileged Response Programs” (page 156).
NOTE: This script is a simple example, and does not take into account many factors, such as:
• Whether the configuration files are in use
• Whether daemons must be restarted to reread file contents
• Has an attacker planted symbolic links to redirect contents to a different location
You must consider these factors when designing a complete response scenario.
164 Automated Response for Alerts