Host Intrusion Detection System Administrator's Guide Release 3.0

Templates and Alerts
Repeated Failed su Commands Template
Appendix A
176
Repeated Failed su Commands Template
The vulnerability
addressed by this
template
The system su(1) command allows one user to assume the identity of another user by
entering that user’s password. An attacker can attempt to gain root privileges by
running the su command and guessing the root password.
How this template
addresses the
vulnerability
The template monitors for repeated failed attempts to change user IDs. The template
generates an alert when a given number of failed change user id attempts occurs for a
specified target user.
How this template
is configured
This template supports the following properties:
Properties Property: max_failed_su
The number of failed su attempts that is exceeded by a user to su to any user.
Property: fail_interval (in seconds)
The time interval over which the failed su attempts must occur to generate an alert.
The default settings will cause an alert to be generated when more than two su
failures by a user occur within 24 hours (86400 seconds = 24 hours).
Alerts generated
by this template
“Repeated Failed su Attempts” on page 176
Repeated Failed su Attempts
This template generates and forwards the following alerts to a response program when
repeated failed su attempts are detected:
Table A-24 Template Properties
Name Type Default Value
max_failed_su VIII 2
fail_interval VI 86400
Table A-25 Repeated Failed Su Attempts Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 9 Unique code assigned to
template
argv[2] Version Integer 2 Version of the template
argv[3] Severity Integer 2 if one of the targets is user root or
ids.
3 otherwise.
Severity