Host Intrusion Detection System Administrator's Guide Release 3.1
Automated Response
How Automated Response Works in HP-UX HIDS
Appendix B
190
2. Your program is detached from a controlling terminal and runs as a background
process. Standard output and standard error are both redirected to the error log file,
as defined by the IDS_ERRORFILE configuration variable (the default is
/var/opt/ids/error.log.)
3. If you need to transmit your alert information to another system, you may need to
set up your own secure communication process.
4. If your response program has its setuid or setgid bit set, it will run as that effective
user or group. It is a good practice to restrict setuid and setgid programs to the
absolute minimum necessary. See “Writing Privileged Response Programs” on
page 194.
5. When a response program is started, the agent process provides it with a set of
environment variables (Table B-3) and passes the alert information as program
arguments (Table B-1). See Appendix A, “Templates and Alerts,” on page 123 for the
alert information passed as arguments 0 through 9 for each template.
Table B-1 Additional Arguments Passed to Response Programs
Response
Program
Argument
Alert
Field
Alert
Field Type
Alert
Value/For
mat
Description
argv[10] System
Call #
Integer <syscall#> System call number that triggered alert.
Corresponds to a number defined in
scall_define.h.
argv[11] Attacker
Process ID
Integer <pid> Process ID (pid) of attacker
argv[12] Attacker
Parent
Process ID
Integer <ppid> Parent process ID (ppid) of attacker
argv[13] Attacker
User ID
Integer <uid> User ID (uid) of attacker
argv[14] Attacker
Group ID
Integer <gid> Group ID (gid) of attacker
argv[15] Attacker
Effective
User ID
Integer <euid> Effective user ID (euid) of attacker
argv[16] Attacker
Effective
Group ID
Integer <egid> Effective group ID (egid) of attacker
argv[17] Pathname
of Target
File
String <full
pathname
>
Full pathname of the file under attack
argv[18] Target File
Type
Integer <type> File type of file under attack. Corresponds to an
enum vtype value defined in vnode.h.
argv[19] Target File
Mode
Integer <mode>(de
cimal)
Mode of file under attack.