HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
}
fprintf(stderr,”Killed offending process %d n”,pid);
/* Turn off root privilege */
if( setresuid(-1, getuid(), geteuid()) == -1)
{
perror(“setresuid”);
exit(1);
}
}
}
exit(0);
}
Solution C
/opt/ids/response/privC
A setuid-root program with mode 4550, owned
by root:ids
/opt/ids/response/misc A directory with mode 500, owned by ids:ids
/opt/ids/response/misc/scriptC.sh
A non-setuid script with mode 500, owned by
ids:ids
NOTE: Do not create a privC program that enables the execution of any executable
with euid root. The full pathnames of the scripts must be hardcoded in privC.c.
Code for the privC Program
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
int main(int argc, char **argv, char **envp)
{
char *ids_base;
char script[PATH_MAX+1];
if ((ids_base = getenv(“IDS_BASE”)) == NULL) exit(1);
if (snprintf(script,(size_t)(PATH_MAX+1),
“%s/response/misc/scriptC.sh”,ids_base) < 0) exit(1);
execve(script,argv,envp);
}
Code for the scriptC.sh Script
#!/usr/bin/sh
## Sample HP-UX HIDS alert response script
## Stop a process that has performed an intrusive activity.
RESPONSE_BASE=$IDS_BASE/rt_response
RECIPIENT=”root”
# Set the umask to a “sane” value
umask 077
206 Automated Response for Alerts