Manualshelf

HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
201202203204205206207208209210
It is far easier to write an insecure script in Perl as compared to a shell (POSIX, Korn,
C). This is similar to the problems with the str* functions. The functions themselves
have no security issues when properly used; however, their usage is almost always
insecure, and it is better to avoid them altogether. Perl, similarly, makes it very easy
to write bad scripts when compared to programming with a shell.
As an example of problems with Perl, consider the Perl statement open INPUT,
$FILE when $FILE is an input from the user that can potentially contain ill-formed
data such as >/etc/passwd. A code reader can assume the $FILE is being opened
for read, whereas the statement opens >/etc/passwd for write, and truncates the file.
The taint check option of Perl, perl -T, is a substitute for a shell in most cases.
Use a current version of Perl. Older versions have known vulnerabilities.
Perl References
Use the following references to help write Perl scripts for HP-UX HIDS:
perlsec( 1) in /opt/perl/man.
http://www.perldoc.com/perl5.6/pod/perlsec.html the web version
of the manpage
http://security-archive.merton.ox.ac.uk/bugtraq-200002/0114.html,
an email archive thread
Writing Privileged Response Programs
This section describes how to write privileged and unprivileged C response programs.
Solution A
Write the response program as a single, unprivileged C executable program, or as
a single, unprivileged shell script that processes the alert string and invokes one
or more privileged setuid C executables to perform operations that require
privileges. For more information, see “Solution A” (page 203).
The unprivileged C executable program or shell script must sanitize and set up
the environment before invoking privileged programs. This ensures that no
dangerous data is being passed into the privileged programs that can adversely
affect the behavior of the privileged programs. This solution enforces a clear
separation of privilege by processing the text of the alert string with no privileges,
and calling out to privileged programs to perform privileged operations.
Solution B
Write the entire response program as a single, privileged setuid C executable
program that both processes the alert string and performs privileged operations.
This program must run with only a privileged effective uid when performing an
operation that requires privileges, and must run with the nonprivileged ids uid
202 Automated Response for Alerts