HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

3. If you must transmit alert information to another system, set up your own secure communication

process.

4. If a response program has its setuid or setgid bit set, it runs as that effective user or group.

It is a good practice to restrict setuid and setgid programs to the absolute minimum

necessary. For more information, see “Writing Privileged Response Programs” (page 156).

5. When a response program is started, the agent process provides it with a set of environment

variables listed in Table 49, and passes the alert information as program arguments listed in

Table 41. Tables B-1 to B-6 for the alert information passed as arguments 0 through 9 for

each template.

Table 41 Additional Arguments Passed to Response Programs for Kernel Template Alerts

DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse

Program

Argument

System call number that triggered the

alert. Corresponds to a number

defined in scall_define.h.

<syscall#>IntegerSystem Call #argv[10]

Process ID (pid) of the attacker<pid>IntegerAttacker Process

argv[11]

Parent process ID (ppid) of the

attacker

<ppid>IntegerAttacker Parent

Process ID

argv[12]

User ID (uid) of the attacker<uid>IntegerAttacker User IDargv[13]

Group ID (gid) of the attacker<gid>IntegerAttacker Group

argv[14]

Effective user ID (euid) of the attacker<euid>IntegerAttacker

Effective User ID

argv[15]

Effective group ID (egid) of the

attacker

<egid>IntegerAttacker

Effective Group

argv[16]

Full pathname of the file under attack<full pathname>StringPathname of

Target File

argv[17]

File type of the file under attack.

Corresponds to an enum vtype

value defined in vnode.h.

<type>IntegerTarget File Typeargv[18]

Mode of file under attack<mode>(decimal)IntegerTarget File

Mode

argv[19]

Owner of the file (uid) under attack<uid>IntegerTarget File

Owner

argv[20]

Group of the file (gid) under attack<gid>IntegerTarget File

Group

argv[21]

Inode number of the file under attack<inode>IntegerTarget File Inodeargv[22]

Device number of the file under attack<device>IntegerTarget File

Device

argv[23]

Full pathname of the attack program<full pathname>StringPathname of

attack program

argv[24]

File type of the attack program.

Corresponds to an enum vtype

value defined in vnode.h.

<type>IntegerAttack Program

Type

argv[25]

Mode of the attack program<mode> (decimal)IntegerAttack Program

Mode

argv[26]

150 Automated Response for Alerts