HP-UX Host Intrusion Detection System Version 4.2 Administration Guide

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

161

162

163

164

165

166

167

168

169

170

Perl References

Use the following references to help write Perl scripts for HP-UX HIDS:

• perlsec( 1) in /opt/perl/man.

• http://www.perldoc.com/perl5.6/pod/perlsec.html the web version of the

manpage

• http://security-archive.merton.ox.ac.uk/bugtraq-200002/0114.html, an

email archive thread

Writing Privileged Response Programs

This section describes how to write privileged and unprivileged C response programs.

• Solution A

Write the response program as a single, unprivileged C executable program, or as a single,

unprivileged shell script that processes the alert string and invokes one or more privileged

setuid C executables to perform operations that require privileges. For more information,

see “Solution A” (page 168).

The unprivileged C executable program or shell script must sanitize and set up the

environment before invoking privileged programs. This ensures that no dangerous data is

being passed into the privileged programs that can adversely affect the behavior of the

privileged programs. This solution enforces a clear separation of privilege by processing

the text of the alert string with no privileges, and calling out to privileged programs to

perform privileged operations.

• Solution B

Write the entire response program as a single, privileged setuid C executable program

that both processes the alert string and performs privileged operations.

This program must run with only a privileged effective uid when performing an operation

that requires privileges, and must run with the nonprivileged ids uid as the effective uid

at all other times. This method is called privilege bracketing. For instructions on toggling

the effective uid, see setresuid(2).

• Solution C

Write a single, privileged setuid C executable program that forks and executes an

unprivileged shell script that both processes the alert string and performs privileged

operations. For more information, see “Solution C” (page 170).

The privileged C program must hard code the full pathname of the unprivileged script. It

must not execute the path name of a program specified through one of its program arguments,

as this enables the execution of an arbitrary program with privileges.

Solution A is the most secure solution because it implements clear separation of privileges.

Solution B is as secure as Solution A if the privilege bracketing is done correctly. Although not

as secure as Solutions A and B, Solution C is the easiest to implement and is not subject to the

vulnerability of privileged setuid shell scripts.

WARNING! The privileged setuid programs of all these solutions are vulnerable to attack if

the user ids account is enabled for login and the ids password is compromised. Either the user

ids account must not be enabled for login (the default when HIDS is installed) or a strong

password for user ids must be chosen and safeguarded.

Code Examples

The following code examples for solutions A, B, and C demonstrate how to terminate a process

that you do not own.

Programming Guidelines 167