HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

151

152

153

154

155

156

157

158

159

160

Table 48 Additional Arguments Passed to Response Programs While Generating Aggregated

Alerts (continued)

DescriptionAlert Value/FormatAlert Field TypeAlert Field

Response Program

Argument

Full hostname of the

remote host from

which attacker logged

in. Set to localhost

if the local host or the

empty string is not

known.

<hostname>StringFull hostname of

remote host

argv [27]

The IP address of the

remote host from

which the attacker

logged in. Set to

empty string if not

known.

<IP address>StringIP address of the

remote host

argv [28]

Table 49 Environment Variables Set for Response Programs

DescriptionValueVariable

Home directory/opt/idsHOME

Default installation location/opt/idsIDS_BASE

Configuration file directory/etc/opt/idsIDS_ETC

Temporary file location/var/opt/idsIDS_VAR

Tab, newline: separator string t nIFS

Library path<empty>LD_PRELOAD

Program path/usr/bin:/sbin:/usr/sbinPATH

Shell path name/usr/bin/shSHELL

Terminal typeunknownTERM

Programming Guidelines

This section provide guidelines for writing response scripts.

Perl Versus Shell Response Scripts

Perl is not privileged. However, when a Perl script is run by a privileged user (as it often is), care

must be taken to ensure that the script is secure.

It is far easier to write an insecure script in Perl as compared to a shell (POSIX, Korn, C). This is

similar to the problems with the str* functions. The functions themselves have no security issues

when properly used; however, their usage is almost always insecure, and it is better to avoid them

altogether. Perl, similarly, makes it very easy to write bad scripts when compared to programming

with a shell.

As an example of problems with Perl, consider the Perl statement open INPUT, $FILE when

$FILE is an input from the user that can potentially contain ill-formed data such as >/etc/passwd.

A code reader can assume the $FILE is being opened for read, whereas the statement opens >/

etc/passwd for write, and truncates the file.

The taint check option of Perl, perl -T, is a substitute for a shell in most cases.

Use a current version of Perl. Older versions have known vulnerabilities.

Programming Guidelines 157