Automated Response
Programming Guidelines
Programming Guidelines
Writing Perl vs. Shell Response Scripts
Perl itself is not privileged, but, when a Perl script is run by a privileged user (as it often is), care must be taken to make sure that the script is secure.
It is far easier to write an insecure script in Perl compared to a shell (POSIX, Korn, C, etc.). This is similar to the problems with using the str*() functions: the functions themselves have no security issues when properly used; however, in practice, their usage is almost always insecure, and it is better to avoid them altogether. Perl, similarly, makes it very easy to write bad scripts when compared to programming using a shell.
As an example of Perl’s problems, consider the Perl statement “open INPUT, $FILE” when $FILE happens to be an input from the user that could potentially contain
The “taint check” option of Perl, “perl
Use a current version of Perl. Older versions have some known vulnerabilities.
Perl References These references may be helpful:
•perlsec (1) in /opt/perl/man in the
•http://www.perldoc.com/perl5.6/pod/perlsec.html, the web version of the manpage.
•
Writing Privileged Response Programs
•Solution A
Write the response program as a single, unprivileged C executable program, or as a single, unprivileged shell script, that processes the alert string and invokes one or more privileged setuid C executables to perform operations that require privilege. See “Solution A” on page 191.
The unprivileged C executable program or shell script should sanitize and set up the environment before invoking privileged programs so as to ensure that no dangerous data is being passed into the privileged programs which might adversely affect the behavior of the privileged programs. This solution enforces a clear separation of privilege by processing the text of the alert string with no privileges and calling out to privileged programs to perform privileged operations.
•Solution B
Write the entire response program as a single, privileged setuid C executable program which both processes the alert string and which performs privileged operations.
190 | Appendix B |