Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

201

202

203

204

205

206

207

208

209

210

Automated Response

Programming Guidelines

Appendix B

191

This program should only run with a privileged effective uid when performing an

operation that requires privilege and should run with the nonprivileged ids uid as

the effective uid at all other times, a method called “privilege bracketing”. See the

setresuid (2) manpage for how to toggle the effective uid.

• Solution C

Write a single, privileged setuid C executable program which merely forks and execs

an unprivileged shell script that both processes the alert string and performs

privileged operations. See “Solution C” on page 193.

The privileged C program must hard code the full path name of the unprivileged

script (i.e., it should not execute the path name of a program speciﬁed through one of

its program arguments, as this would allow the execution of an arbitrary program

with privilege).

Solution A is the most secure solution because it implements clear separation of

privilege. Solution B is as secure as Solution A if the privilege bracketing is done

correctly. Although not as secure as Solutions A and B, Solution C is the easiest to

implement and is not subject to the vulnerability of privileged setuid shell scripts.

Code Examples

The following code examples for solutions A, B, and C demonstrate how to terminate a

process that you do not own.

NOTE The pathnames below are suggested places to store the ﬁles. For security reasons, they

are not delivered as part of the HIDS software.

Solution A

/opt/ids/response/scriptA.sh

A non-setuid script with mode 500 and owned by ids:ids

/opt/ids/response/misc

A directory with mode 500 and owned by ids:ids.

/opt/ids/response/misc/privA

A setuid-root program with mode 4550 and owned by root:ids

Code for scriptA.sh

#!/usr/bin/sh

## Sample HP-UX HIDS alert response script

## Stop a process which has performed an intrusive activity.

RESPONSE_BASE=$IDS_BASE/response

RECIPIENT=”root”

# Setting the umask to a “sane” value

umask 077

# If we have a file modification alert

if[$1=“2”]