Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Templates and Alerts

Race Condition Template

Appendix A

145

NOTE Refer to Table B-1 in Appendix B for the deﬁnition of argv[10] through argv[32] and to

Table B-2 for the deﬁnition of argv[33] through argv[41] that can be used to access

speciﬁc alert information (ie., pid, ppid) without having to parse the string alert ﬁelds

above.

Limitations • This template can be CPU intensive because it is monitoring all ﬁle references on the

system.

argv[8] Details String “User with <uid> running as

process with pid<pid> and with

parent pid <ppid> is executing the

privileged setuid script <full

pathname>(type=<type>,

inode=<inode>, device=<device),

invoked as follows: <argv[0]

argv[1]...,[*perhaps*] via a symbolic

link. Privileged setuid script owned

by user with uid <uid>. A privileged

setuid script is vulnerable to a race

condition attack.”

Detailed alert

description

argv[9] Local Time Integer <secs> Local time in

number of seconds

since epoch when a

privileged setuid

script is executed.

Table A-8 Setuid Script Executed Alert Properties (Continued)

Response

Program

Argument

Alert Field

Alert

Field

Type

Alert Value/Format Description