Manualshelf

HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
161162163164165166167168169170
Example 8 Restoring Safe Copies of Files
#!/usr/bin/sh
# Sample HP-UX HIDS alert response script
# Restore good copies of files to the /etc directory if
any # modifications occur
RECIPIENT=root
# Setting the umask to a sane value
umask 077
# If there is a file modification alert
if [ $1 = 2 ]
then
# And if the target of the attack is a file in /etc
match=`echo ${17} | grep ^/etc/..*`
if [ $match != ““ ]
then
echo System configuration was modified: restoring from
backup CD\n \| /usr/bin/mailx -s $7 ${RECIPIENT}
cp -rf /cdrom/etc/* /etc
fi
fi
HP OpenView Operations SMART Plug-In
For customers of HP OpenView Operations (OVO), a SMART Plug-In OVO HPUX_HIDS-SPI is
available. By relaying messages from the HP-UX HIDS agent to the OVO message interceptor
residing on the same host, HP-UX HIDS enables you to manage HP-UX HIDS alerts directly from
the OpenView management server.
The OVO HPUX_HIDS-SPI components include the following:
Templates designed to monitor important log files, vital processes, and real time alerts generated
by HP-UX HIDS.
Templates that enable monitoring of the application’s overall availability.
Applications that enable you to query the status of HP-UX HIDS, and start and stop the HP-UX
HIDS System Manager.
OVO HPUX_HIDS-SPI can be used with both the OVO X-Motif-based Operator GUI and the OVO
Java-based Operator GUI.
The HPUX_HIDS-SPI SMART Plug-In is available for download from the OpenView SPI Gallery
website at: http://managementsoftware.hp.com/downloads/spis.html. Select “SPI
Gallery” and choose the HP-UX HIDS plug-in from the list.
The OVO HPUX_HIDS-SPI has been certified by HP for OVO V5.x as well as V6.x, and is known
to work with OVO V7.1. A future HPUX_HIDS-SPI release is being planned for certification with
OVO V8.
HP Reference
For more information, see HP OpenView Operations SMART Plug-In for HP-UX Host IDS
Administrators and Users Guide available at:
http://www.managementsoftware.hp.com/products/spi/spi_ids/spi_ids_guide_22.pdf
OVO Enablement in HP-UX HIDS
OVO integration is enabled with two programs that are installed on every agent host defined by
the IDS_RESPONSE_DIR configuration variable. By default, they are:
/opt/ids/response/send_alert_to_vpo.sh /opt/ids/response/vpo/ids_vpoalert
The script send_alert_to_vpo.sh performs a series of tests to ensure that the script is running
on a OVO managed node. If the tests pass, it calls ids_vpoalert, which generates a OVO
message and uses the opcmsg() facility to send the message to the OVO message interceptor. The
interceptor relays the message to the OVO management server.
HP OpenView Operations SMART Plug-In 165