HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

Repeated Failed su Commands Template.................................................................................143

Repeated Failed su Attempts..............................................................................................144

Log File Monitoring Template.................................................................................................145

Log File Monitoring..........................................................................................................146

B Automated Response for Alerts.................................................................148

Response Methods................................................................................................................148

How Automated Response Works in HP-UX HIDS......................................................................149

Alert Process...................................................................................................................149

Security Checks...............................................................................................................149

Programming Notes.........................................................................................................149

Programming Guidelines.......................................................................................................155

Perl Versus Shell Response Scripts.......................................................................................155

Writing Privileged Response Programs................................................................................156

Code Examples...............................................................................................................156

Solution A..................................................................................................................157

Code for scriptA.sh.................................................................................................157

Code for privA Program..........................................................................................157

Solution B..................................................................................................................158

Code for privB program..........................................................................................158

Solution C..................................................................................................................159

Code for the privC Program.....................................................................................159

Code for the scriptC.sh Script...................................................................................159

Sample Response Programs...................................................................................................160

Sample C Language Program Source Code ........................................................................160

Sample Shell Script Alert Responses...................................................................................160

Forwarding Information................................................................................................160

Sending an e-mail..................................................................................................160

Logging to a Central syslog Server............................................................................161

Halting Further Attacks.................................................................................................161

Disabling a user's account.......................................................................................161

Disable Remote Networking.....................................................................................162

Preserving Evidence.....................................................................................................163

Putting a Process to Sleep........................................................................................163

Snapshot of Critical System State..............................................................................163

System Restoration to a Stable state...............................................................................164

HP OpenView Operations SMART Plug-In................................................................................165

OVO Enablement in HP-UX HIDS.......................................................................................165

C Tuning Schedules and Generating Alert Reports.........................................167

Tuning Schedules Using the idsadmin Command......................................................................167

Functioning of the tune Command......................................................................................167

During Initial Deployment.............................................................................................167

After HIDS Deployment................................................................................................167

Schedule Tuning Process...................................................................................................168

Step 1: Analyzing Alerts and Tuning Schedules...............................................................168

Section Related to File Related Alerts.........................................................................170

Section Related to Aggregated Alerts........................................................................170

Section Related to System Alerts...............................................................................171

Using the tune Command........................................................................................171

Step 2: Modifying the Filters in the Tune Command Report...............................................172

Step 3: Updating and Deploying the Schedule................................................................173

Generating Alert Reports Using the idsadmin Command............................................................173

The idsadmin Command Reporting Options........................................................................174

Using the idsadmin Command to Generate Reports..............................................................177

Benefits of Generating Reports in raw Format..................................................................181

Contents 7