Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP Host Intrusion Detection System (HIDS)

201

202

203

204

205

206

207

208

209

210

Automated Response

Programming Guidelines

Appendix B

190

Programming Guidelines

Writing Perl vs. Shell Response Scripts

Perl itself is not privileged, but, when a Perl script is run by a privileged user (as it often

is), care must be taken to make sure that the script is secure.

It is far easier to write an insecure script in Perl compared to a shell (POSIX, Korn, C,

etc.). This is similar to the problems with using the str*() functions: the functions

themselves have no security issues when properly used; however, in practice, their usage

is almost always insecure, and it is better to avoid them altogether. Perl, similarly,

makes it very easy to write bad scripts when compared to programming using a shell.

As an example of Perl’s problems, consider the Perl statement “open INPUT, $FILE”

when $FILE happens to be an input from the user that could potentially contain

ill-formed data such as “>/etc/passwd”. A reader of the code could assume the $FILE is

being opened for read, whereas the statement would open “>/etc/passwd” for write

(and, hence, truncate the ﬁle).

The “taint check” option of Perl, “perl -T”, is a substitute for a shell in most cases.

Use a current version of Perl. Older versions have some known vulnerabilities.

Perl References These references may be helpful:

• perlsec (1) in /opt/perl/man in the HP-UX distribution.

• http://www.perldoc.com/perl5.6/pod/perlsec.html, the web version of the

manpage.

• http://security-archive.merton.ox.ac.uk/bugtraq-200002/0114.html, an

e-mail archive thread

Writing Privileged Response Programs

• Solution A

Write the response program as a single, unprivileged C executable program, or as a

single, unprivileged shell script, that processes the alert string and invokes one or

more privileged setuid C executables to perform operations that require privilege.

See “Solution A” on page 191.

The unprivileged C executable program or shell script should sanitize and set up the

environment before invoking privileged programs so as to ensure that no dangerous

data is being passed into the privileged programs which might adversely affect the

behavior of the privileged programs. This solution enforces a clear separation of

privilege by processing the text of the alert string with no privileges and calling out

to privileged programs to perform privileged operations.

• Solution B

Write the entire response program as a single, privileged setuid C executable

program which both processes the alert string and which performs privileged

operations.