HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

201

202

203

204

205

206

207

208

209

210

as the effective uid at all other times. This method is called privilege bracketing.

For instructions on toggling the effective uid, see setresuid(2).

• Solution C

Write a single, privileged setuid C executable program that forks and executes

an unprivileged shell script that both processes the alert string and performs

privileged operations. For more information, see “Solution C” (page 206).

The privileged C program must hard code the full pathname of the unprivileged

script. It must not execute the path name of a program specified through one of

its program arguments, as this enables the execution of an arbitrary program with

privileges.

Solution A is the most secure solution because it implements clear separation of

privileges. Solution B is as secure as Solution A if the privilege bracketing is done

correctly. Although not as secure as Solutions A and B, Solution C is the easiest to

implement and is not subject to the vulnerability of privileged setuid shell scripts.

WARNING! The privileged setuid programs of all these solutions are vulnerable

to attack if the user ids account is enabled for login and the ids password is

compromised. Either the user ids account must not be enabled for login (the default

when HIDS is installed) or a strong password for user ids must be chosen and

safeguarded.

Code Examples

The following code examples for solutions A, B, and C demonstrate how to terminate

a process that you do not own.

NOTE: The pathnames below are suggested places to store files. However, they are

not delivered as part of HP-UX HIDS, because of the program's security policy

implications.

Solution A

/opt/ids/response/scriptA.sh

A non-setuid script with mode 500 and owned

by ids:ids

/opt/ids/response/misc A directory with mode 500, owned by ids:ids.

/opt/ids/response/misc/privA

A setuid-root program with mode 4550, owned

by root:ids

Code for scriptA.sh

#!/usr/bin/sh

## Sample HP-UX HIDS alert response script

## Stop a process that has performed an intrusive activity.

RESPONSE_BASE=$IDS_BASE/rt_response

RECIPIENT=”root”

Programming Guidelines 203