Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Templates and Alerts

Race Condition Template

Appendix A

146

Privileged setuid Script Executed

This template generates and forwards alerts to a response program when a privileged

setuid script is executed (either directly or through a symbolic link) and the kernel has

honored the setuid bit. Table A-8 lists the alerts that this template supports.

Table A-8 setuid Script Executed Alert Properties

Response

Program

Argument

Alert Field

Alert

Field

Type

Alert Value/Format Description

argv[1] Template code Integer 1 Unique code

assigned to template

argv[2] Version Integer 2 Version of the

template

argv[3] Severity Integer 1 if executed via symbolic link;

otherwise 2.

Severity Alert

argv[4] UTC Time Integer <secs> UTC time in number

of seconds since

epoch when a

privileged setuid

script was executed

argv[5] Attacker String uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>.

The user ID, group

ID, process ID, and

parent process ID of

the process that

executed a

privileged setuid

script.

argv[6] Target of

Attack

String file=<full pathname>,

type=<type>,mode=<mode>,uid

=<uid>,gid=<gid,inode=<inod

e>,device=<device>.

The full pathname

of the privileged

setuid script and

the script’s type

mode,uid,gid,in

ode, and device

number

argv[7] Summary String Race condition attack if script

executed via a symbolic link.

Otherwise, set to Potential race

condition attack.

Alert summary