Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide: HP-UX 11i v1, HP-UX 11i v2 and HP-UX 11i v3 > Appendix A Templates and Alerts

Repeated Failed su Commands Template
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The vulnerability addressed by this template

The system su(1) command allows one user to assume the identity of another user by entering that user’s password. An attacker can attempt to gain superuser (root) privileges by running the su command and guessing the superuser password.

How this template addresses the vulnerability

The template monitors for repeated failed attempts to change user IDs. The template generates an alert when a given number of failed change user ID attempts occurs for a specified target user.

How this template is configured

Table A-24 lists the configurable properties that this template supports.

Table A-24 Repeated Failed su Commands Template Properties

NameTypeDefault ValueDescription
max_failed_su

VIII

2The number of failed su attempts that are exceeded by a user to use the su command.

fail_interval

VI1440 minutes

The time interval over which the failed su attempts must occur to generate an alert.

The default settings cause an alert to be generated when more than two su failures by a user occur within 24 hours (1440 minutes = 24 hours).

priv_user_list

III

root │ ids

A high severity alert is generated when a user fails to switch to a user with a user ID or user name in this list.

 

Alerts generated by this template

Repeated Failed su Attempts

Table A-25 lists the alert properties the Repeated Failed su Attempts template generates and forwards to a response program when repeated failed su attempts are detected.

Table A-25 Repeated Failed Su Attempts Alert Properties

Response Program Argument

Alert FieldAlert Field TypeAlert Value/FormatDescription
argv[1]Template codeInteger9Unique code assigned to template
argv[2]VersionInteger3Template version
argv[3]SeverityInteger2 for users listed in the priv_user_list property. 3 for all other users.Alert severity
argv[4]UTC timeInteger<secs>UTC time in number of seconds since the epoch when more than <max_failed_su> number of failed su attempts were detected for a particular user
argv[5]AttackerString<username>The name of the user attempting to su.
argv[6]TargetString<username>The target user of the last failed su attempt
argv[7]SummaryStringFailed su attemptsAlert summary
argv[8]DetailsStringUser <username> had more than <max_failed_su> failed su attempts in the past <number> [second | minute | hour | day | week]. Targets were [ <username> <username> .... ]Detailed alert description
argv[9]EventStringFailed switch-user (su)The event that triggered the alert.
argv[10]FlagInteger2Indicates a failed su alert versus a failed login alert
argv[11]DeviceString<tty>The tty from which a failed su attempt was made
argv[12]FromString<username>The name of the user attempting to su
argv[13]ToString<username>The target user of the last failed su attempt

 

Limitations

The Repeated Failed su Commands Template has no limitations.



Repeated Failed Logins Template
  		 


Appendix B Automated Response for Alerts  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.