Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

201

202

203

204

205

206

207

208

209

210

Automated Response

Programming Guidelines

Appendix B

194

A directory with mode 500 and owned by ids:ids.

/opt/ids/response/misc/scriptC.sh

A non-setuid script with mode 500 and owned by ids:ids

NOTE You must make sure you do not create a privC program to allow the execution of any

executable with euid root! The path names of the scripts must be hardcoded in privC.c.

Code for privC program

#include <stdio.h>

#include <stdlib.h>

#include <limits.h>

int main(int argc, char **argv, char **envp)

{

char *ids_base;

char script[PATH_MAX+1];

if ((ids_base = getenv(“IDS_BASE”)) == NULL) exit(1);;

if (snprintf(script,(size_t)(PATH_MAX+1),

“%s/response/misc/scriptC.sh”,ids_base) < 0) exit(1);

execve(script,argv,envp);

}

Code for scriptC.sh script

#!/usr/bin/sh

## Sample HP-UX HIDS alert response script

## Stop a process which has performed an intrusive activity.

RESPONSE_BASE=$IDS_BASE/response

RECIPIENT=”root”

# Setting the umask to a “sane” value

umask 077

# If we have a file modification alert

if[$1=“2”]

then

# and if the target of the attack is the password file

if [ ${17} = “/etc/passwd” ]; then

# obtain the process id from the alert

pid=${11}

echo “Critical intrusion: halting process ${pid} running ${24} that m

odified /etc/passwd” \

| /usr/bin/mailx -s “$7” ${RECIPIENT}

kill -KILL ${pid}

# Exit with no error

exit 0