Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

161

162

163

164

165

166

167

168

169

170

Templates and Alerts

Race Condition Template

Appendix A

147

NOTE See Table B-1 and Table B-2 in Appendix B for the deﬁnition of additional arguments

that can be used to access speciﬁc alert information (for example, pid and ppid) without

having to parse the string alert ﬁelds.

Limitations This template can be CPU intensive because it is monitoring all ﬁle references on the

system.

argv[8] Details String User with <uid> running as process

with pid<pid> and with parent

pid <ppid> is executing the

privileged setuid script <full

pathname>(type=<type>,

inode=<inode>,

device=<device), invoked as

follows: <argv[0]

argv[1]...,[*perhaps*] via a

symbolic link. Privileged setuid

script owned by user with uid

<uid>. A privileged setuid script

is vulnerable to a race condition

attack.

Detailed alert

description

argv[9] Local Time Integer <secs> Local time in

number of seconds

since epoch when a

privileged setuid

script was executed

Table A-8 setuid Script Executed Alert Properties (Continued)

Response

Program

Argument

Alert Field

Alert

Field

Type

Alert Value/Format Description