HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
# Sets the umask to a “sane” value
umask 077
# If there is a file modification alert
if [ $1 = “2” ]
then
# and if the target of the attack is the password file
if [ ${17} = “/etc/passwd” ]; then
# obtain the process ID from the alert
pid=${11}
echo “Critical intrusion: halting process ${pid} running ${24}
that modified /etc/passwd” | /usr/bin/mailx -s “$7” $
{RECIPIENT}
# Invoke setuid-root program to kill process instead
# of using a setuid-root script that is susceptible to # race
condition attacks.
${RESPONSE_BASE}/misc/privA ${pid}
fi
fi
# Exit with no error
exit 0
Code for privA Program
#include <signal.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
int pid;
if (argc != 2) exit(1);
if ((pid = strtol(argv[1], (char **)NULL, 10)) == 0)
exit(1);
if (kill((pid_t)pid,SIGKILL) == -1) {
perror(“kill”);
exit(1);
}
fprintf(stderr,”Successfully killed offending process %d n” ,pid);
exit(0);
}
}
Solution B
/opt/ids/response/privB
A setuid-root program with mode 4550, owned by
root:ids
204 Automated Response for Alerts