Host Intrusion Detection System Administrator's Guide Release 3.1
Automated Response
Programming Guidelines
Appendix B
197
int pid;
/* Turn off root privilege but save euid */
if( setresuid(-1, getuid(), geteuid()) == -1)
{
perror(“setresuid”);
exit(1);
}
/* Determine if a file modification alert */
if (atoi(argv[1]) == 2)
{
/* Determine if the target of the attack is /etc/passwd */
if (strcmp(argv[17],”/etc/passwd”) == 0)
{
/* Obtain process id */
pid = atoi(argv[11]);
if (pid < 0)
{
fprintf(stderr,”Unknown process modified /etc/passwd\n”,pid);
exit(1);
}
fprintf(stderr,”Process %d running %s modified /etc/passwd\n”,pid,
argv[24]);
/* Turn on root privilege */
if( setresuid(-1, 0, -1) == -1)
{
perror(“setresuid”);
exit(1);
}
/* Kill offending process */
if (kill((pid_t)pid,SIGKILL) == -1)
{
perror(“kill”);
exit(1);
}
fprintf(stderr,”Killed offending process %d\n”,pid);
/* Turn off root privilege */
if( setresuid(-1, getuid(), geteuid()) == -1)
{
perror(“setresuid”);
exit(1);
}
}
}
exit(0);
}