Automated Response

Programming Guidelines

then

#and if the target of the attack is the password file if [ ${17} = “/etc/passwd” ]; then

#obtain the process id from the alert

pid=${11}

echo “Critical intrusion: halting process ${pid} running ${24} that m odified /etc/passwd” /usr/bin/mailx -s “$7” ${RECIPIENT}

#Invoke setuid-root program to kill process instead

#of using a setuid-root script which is susceptible to

#race condition attacks.

${RESPONSE_BASE}/misc/privA ${pid}

fi

fi

#Exit with no error exit 0

Code for privA program

#include <signal.h> #include <stdlib.h>

int main(int argc, char **argv)

{

int pid;

if (argc != 2) exit(1);

if ((pid = strtol(argv[1], (char **)NULL, 10)) == 0) exit(1);

if (kill((pid_t)pid,SIGKILL) == -1) { perror(“kill”);

exit(1);

}

fprintf(stderr,”Successfully killed offending process %d\n”,pid);

exit(0);

}

}

Solution B

/opt/ids/response/privB

A setuid-root program with mode 4550 and owned by root:ids

Code for PrivB program

#include <stdlib.h> /* atoi(3C) */ #include <unistd.h> /* setresuid(2) */ #include <signal.h> /* kill(2) */

/* This program is assumed to be a setuid-root program */

int main(int argc, char **argv)

{

192

Appendix B

Page 204
Image 204
HP Host Intrusion Detection System (HIDS) manual Code for privA program, Solution B, Code for PrivB program, 192