HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

Privileged setuid Script Executed

This template generates and forwards alerts to a response program when a privileged setuid

script is executed (either directly or through a symbolic link) and the kernel has honored the setuid

bit. Table A-8 lists the alert properties the Privileged setuid Script Executed template supports.

Table 18 setuid Script Executed Alert Properties

DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse

Program

Argument

Unique code assigned to

template

1IntegerTemplate codeargv[1]

Template version<version>IntegerVersionargv[2]

Severity alert1 if executed via symbolic link;

otherwise 2

IntegerSeverityargv[3]

UTC time in number of

seconds since the epoch when

<secs>IntegerUTC timeargv[4]

a privileged setuid script was

executed

The user ID, group ID, process

ID, and parent process ID of

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

the process that executed a

privileged setuid script

The full path name of the

privileged setuid script and

file=<full pathname>,

type=<type>,

StringTarget of Attackargv[6]

the script’s type

mode=<mode>,

mode,uid,gid,inode, and

device number

uid=<uid>, gid=<gid>,

inode=<inode>,

device=<device>

Alert summaryRace condition attack if script is

executed from a symbolic link.

StringSummaryargv[7]

Otherwise, set to potential race

condition attack.

Detailed alert descriptionUser with <uid> running as

process with pid<pid> and with

StringDetailsargv[8]

parent pid <ppid> is executing

the privileged setuid script <full

pathname>(type=<type>,

inode=<inode>,

device=<device), invoked as

follows: <argv[0]

argv[1]...,[*perhaps*] from a

symbolic link. Privileged setuid

script owned by a user with uid

<uid>. A privileged setuid script

is vulnerable to a race condition

attack.

The event that triggered the

alert.

nullStringEventargv[9]

NOTE: See Table 41 (page 150) and Table 45 (page 152) in Appendix B for the definition of

additional arguments that can be used to access specific alert information (for example, pid and

ppid) without parsing the string alert fields.

118 Templates and Alerts