HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
Perl References
Use the following references to help write Perl scripts for HP-UX HIDS:
• perlsec( 1) in /opt/perl/man.
• http://www.perldoc.com/perl5.6/pod/perlsec.html the web version of the
manpage
• http://security-archive.merton.ox.ac.uk/bugtraq-200002/0114.html, an
e-mail archive thread
Writing Privileged Response Programs
This section describes how to write privileged and unprivileged C response programs.
• Solution A
Write the response program as a single, unprivileged C executable program, or as a single,
unprivileged shell script that processes the alert string and invokes one or more privileged
setuid C executables to perform operations that require privileges. For more information,
see “Solution A” (page 159).
The unprivileged C executable program or shell script must sanitize and set up the environment
before invoking privileged programs. This ensures that no dangerous data is being passed
into the privileged programs that can adversely affect the behavior of the privileged programs.
This solution enforces a clear separation of privilege by processing the text of the alert string
with no privileges, and calling out to privileged programs to perform privileged operations.
• Solution B
Write the entire response program as a single, privileged setuid C executable program
that both processes the alert string and performs privileged operations.
This program must run with only a privileged effective uid when performing an operation that
requires privileges, and must run with the nonprivileged ids uid as the effective uid at all other
times. This method is called privilege bracketing. For instructions on toggling the effective uid,
see setresuid(2).
• Solution C
Write a single, privileged setuid C executable program that forks and executes an
unprivileged shell script that both processes the alert string and performs privileged operations.
For more information, see “Solution C” (page 161).
The privileged C program must hard code the full pathname of the unprivileged script. It must
not execute the path name of a program specified through one of its program arguments, as
this enables the execution of an arbitrary program with privileges.
Solution A is the most secure solution because it implements clear separation of privileges. Solution
B is as secure as Solution A if the privilege bracketing is done correctly. Although not as secure
as Solutions A and B, Solution C is the easiest to implement and is not subject to the vulnerability
of privileged setuid shell scripts.
WARNING! The privileged setuid programs of all these solutions are vulnerable to attack if
the user ids account is enabled for login and the ids password is compromised. Either the user ids
account must not be enabled for login (the default when HIDS is installed) or a strong password
for user ids must be chosen and safeguarded.
Code Examples
The following code examples for solutions A, B, and C demonstrate how to terminate a process
that you do not own.
158 Automated Response for Alerts