Host Intrusion Detection System Administrator's Guide Release 3.0
Templates and Alerts
Login/Logout Template
Appendix A
170
Successful su Detected
This template generates and forwards the following alerts to a response program when a
successful switch user (su) command is executed:
argv[10] Flag Integer 1 Indicates a
login/logout alert
versus an su alert.
argv[11] User String <username> Name of user that
loggedinorlogged
out.
argv[12] Device String <pty device name> Name of pty
device associated
with login session.
argv[13] Hostname String <remote hostname> Name of remote
host from which
login was
initiated.
argv[14] IP
Address
String <A.B.C.D> for IPv4 addresses
"A:B:C:D:..." for IPv6 addresses
IP address of
remote host from
which login was
initiated.
Table A-20 Login/Logout Alert Properties (Continued)
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description
Table A-21 Successful su Detected Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 7 Unique code
assigned to
template
argv[2] Version Integer 2 Version of the
template
argv[3] Severity Integer 2 for user root or ids; 3 for all other users Severity
argv[4] UTC Time Integer <secs> UTC time in
number of
seconds since
epoch when a
successful su
event occurs.