Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Templates and Alerts

Race Condition Template

Appendix A

144

Privileged Setuid Script Executed

This template generates and forwards the following alert to a response program when a

privileged setuid script is executed (either directly or through a symbolic link) and the

kernel has honored the setuid bit:

Table A-8 Setuid Script Executed Alert Properties

Response

Program

Argument

Alert Field

Alert

Field

Type

Alert Value/Format Description

argv[1] Template code Integer 1 Unique code

assigned to template

argv[2] Version Integer 2 Version of the

template

argv[3] Severity Integer 1 if executed via symbolic link;

otherwise 2.

Severity

argv[4] UTC Time Integer <secs> UTCtime innumber

of seconds since

epoch when a

privileged setuid

script is executed.

argv[5] Attacker String “uid=<uid>, gid=<gid>, pid=<pid>,

ppid=<ppid>”

The user ID, group

ID, process ID, and

parent process ID of

the process that

executed a

privileged setuid

script.

argv[6] Target of

Attack

String “ﬁle=<full pathname>,

mode=<mode>,uid=<uid>,gid=<gid,

inode=<inode>,device=<device>”

The full pathname

of the privileged

setuid script and the

script’s mode, uid,

gid, inode, and

device number.

argv[7] Summary String "Race condition attack" if script

executed via a symbolic link.

Otherwise, set to "Potential race

condition attack"

Alert summary