HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

NOTE: See Table 41 (page 152) and Table 45 (page 154) Appendix B for the definition of

additional arguments that can be used to access specific alert information (for example, pid and

ppid) without parsing the string alert fields.

Privileged setuid Script Executed

This template generates and forwards alerts to a response program when a privileged setuid

script is executed (either directly or through a symbolic link) and the kernel has honored the setuid

bit. Table A-8 lists the alert properties the Privileged setuid Script Executed template supports.

Table 18 setuid Script Executed Alert Properties

DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse

Program

Argument

Unique code assigned to

template

1IntegerTemplate codeargv[1]

Template version<version>IntegerVersionargv[2]

Severity alert1 if executed via symbolic link;

otherwise 2

IntegerSeverityargv[3]

UTC time in number of

seconds since the epoch when

a privileged setuid script was

executed

<secs>IntegerUTC timeargv[4]

The user ID, group ID, process

ID, and parent process ID of

the process that executed a

privileged setuid script

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

The full path name of the

privileged setuid script and

the script’s type

mode,uid,gid,inode, and

device number

file=<full pathname>,

type=<type>,

mode=<mode>,

uid=<uid>, gid=<gid>,

inode=<inode>,

device=<device>

StringTarget of Attackargv[6]

Alert summaryRace condition attack if script is

executed from a symbolic link.

Otherwise, set to potential race

condition attack.

StringSummaryargv[7]

Detailed alert descriptionUser with <uid> running as

process with pid<pid> and with

parent pid <ppid> is executing

the privileged setuid script <full

pathname>(type=<type>,

inode=<inode>,

device=<device), invoked as

follows: <argv[0]

argv[1]...,[*perhaps*] from a

symbolic link. Privileged setuid

script owned by a user with uid

<uid>. A privileged setuid script

is vulnerable to a race condition

attack.

StringDetailsargv[8]

The event that triggered the

alert.

nullStringEventargv[9]

120 Templates and Alerts