Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

201

202

203

204

205

206

207

208

209

210

Automated Response

Programming Guidelines

Appendix B

192

then

# and if the target of the attack is the password file

if [ ${17} = “/etc/passwd” ]; then

# obtain the process id from the alert

pid=${11}

echo “Critical intrusion: halting process ${pid} running ${24} that m

odified /etc/passwd” | /usr/bin/mailx -s “$7” ${RECIPIENT}

# Invoke setuid-root program to kill process instead

# of using a setuid-root script which is susceptible to

# race condition attacks.

${RESPONSE_BASE}/misc/privA ${pid}

# Exit with no error

exit 0

Code for privA program

#include <signal.h>

#include <stdlib.h>

int main(int argc, char **argv)

{

int pid;

if (argc != 2) exit(1);

if ((pid = strtol(argv[1], (char **)NULL, 10)) == 0) exit(1);

if (kill((pid_t)pid,SIGKILL) == -1) {

perror(“kill”);

exit(1);

}

fprintf(stderr,”Successfully killed offending process %d\n”,pid);

exit(0);

}

Solution B

/opt/ids/response/privB

A setuid-root program with mode 4550 and owned by root:ids

Code for PrivB program

#include <stdlib.h> /* atoi(3C) */

#include <unistd.h> /* setresuid(2) */

#include <signal.h> /* kill(2) */

/* This program is assumed to be a setuid-root program */

int main(int argc, char **argv)

{