Host Intrusion Detection System Administrator's Guide Release 3.0

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

181

182

183

184

185

186

187

188

189

190

Templates and Alerts

Appendix A

171

Limitations • The template only detects logins and logouts that are logged to wtmp[s].

— The template does not detect successful secure ftp (sftp) logins and logouts

because the ssh daemon logs successful sftp logins and logouts using syslog(3C)

instead of logging them to wtmp on 11i version 1.0 and wtmps on 11i version 2.0.

— The template does not detect secure shell (ssh) logins and logouts by ssh

daemons that do not log successful ssh logins and logouts to wtmp on 11i version

1.0 and wtmps on 11i version 2.0. SSH daemons should be conﬁgured with the

"UsePAM" conﬁguration value set to "no" in order to log successful ssh logins and

logouts to wtmp(s).

argv[5] <Empty> n/a n/a This ﬁeld is

empty

argv[6] <Empty> n/a n/a This ﬁeld is

empty

argv[7] Summary String "Successful su session" Alert summary

argv[8] Details String “User <username_from> switched to user

<username_to> on tty <tty>”

Detailed alert

description

argv[9] Local

Time

Integer <secs> Local time in

number of

seconds since

epoch when a

successful su

event occurs.

argv[10] Flag Integer 2 Indicates an su

alert versus a

alert.

argv[11] Device String <tty> The tty from

which a

successful su

attempt was

made.

argv[12] From String <username> The name of the

user attempting

to su.

argv[13] To String <username> The target user

of the su

command.

Table A-21 Successful su Detected Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert

Field

Type

Alert Value/Format Description