Host Intrusion Detection System Administrator's Guide Release 3.0
Automated Response
Programming Guidelines
Appendix B
193
int pid;
/* Turn off root privilege but save euid */
if( setresuid(-1, getuid(), geteuid()) == -1) {
perror(“setresuid”);
exit(1);
}
/* Determine if a file modification alert */
if (atoi(argv[1]) == 2) {
/* Determine if the target of the attack is /etc/passwd */
if (strcmp(argv[17],”/etc/passwd”) == 0) {
/* Obtain process id */
pid = atoi(argv[11]);
if (pid < 0) {
fprintf(stderr,”Unknown process modified /etc/passwd\n”,pid); exit(1)
;
}
fprintf(stderr,”Process %d running %s modified /etc/passwd\n”,pid,ar
gv[24]);
/* Turn on root privilege */
if( setresuid(-1, 0, -1) == -1) {
perror(“setresuid”);
exit(1);
}
/* Kill offending process */
if (kill((pid_t)pid,SIGKILL) == -1) {
perror(“kill”);
exit(1);
}
fprintf(stderr,”Killed offending process %d\n”,pid);
/* Turn off root privilege */
if( setresuid(-1, getuid(), geteuid()) == -1) {
perror(“setresuid”);
exit(1);
}
}
}
exit(0);
}
Solution C
/opt/ids/response/privC
A setuid-root program with mode 4550 and owned by root:ids
/opt/ids/response/misc