HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

called secure_sid_scripts (5) was introduced with a default value that indicates that the

setuid and setgid bits on scripts are ignored by the kernel. The vulnerability can also be

exploited if the tunable parameter is configured to honor a privileged script’s setuid and setgid

bits in favor of compatibility over security. Refer to the secure_sid_scripts (5) for details.

How this template addresses the vulnerability

The Race Condition template monitors the file accesses that privileged programs make. The template

generates an alert if a file reference appears to have unexpectedly changed.

This template also monitors the execution of privileged setuid scripts, that are susceptible to a

race condition when executed from a symbolic link. Starting with HP-UX 11i v1.6, the setuid bit

of a setuid script is ignored if the default value of the secure_sid_scripts tunable kernel

parameter is in place.

How this template is configured

Table A-6 lists the configurable properties the Race Condition template supports.

Table 16 Race Condition Template Properties

Default ValueTypeProperty

root | daemon | bin | sys | adm |

uucp | lp | nuucp

IIIpriv_user_list

<empty>Ipathnames_to_not_watch

^/etc/passwd$IIpathnames_1

^/usr/bin/passwd$ &

^/usr/sbin/useradd$ &

^/usr/sbin/userdel$ &

^/usr/sbin/usermod$

IIprograms_1

<empty>IIpathnames_X

<empty>IIprograms_X

Properties

The properties of the Race Condition template are described as follows:

priv_user_list A list of system-level user IDs or user names.

This list contains those users who have elevated access to the

system. Removing any of these users mean that an attack

against one of them is not detected by this template. Only

programs that run with an effective user ID equal to one of

the listed uids or corresponds to the one of the listed user

names are monitored, and only the execution of setuid

scripts owned by a user listed in this property generates an

alert.

pathnames_to_not_watch Path names of programs that can be safely ignored.

Any race condition alert for a file whose path name is

matched by a regular expression in the

pathnames_to_not_watch property is filtered out and

not reported. You can use this property to filter alerts

generated when a privileged setuid script is executed. You

must specify the full path name of the script.

pathnames_X, programs_X You can use these properties to filter out race condition alerts

generated when a specified program modifies the file

reference of a privileged program for a particular file. See

118 Templates and Alerts