Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Login/Logout Template
Appendix A
175
Limitations The template has the following limitations:
• The template only detects logins and logouts that are logged to wtmp:
— The template does not detect successful secure ftp (sftp) logins and logouts
because the ssh daemon logs successful sftp logins and logouts using
syslog(3C) instead of logging them to wtmp on 11i V1and wtmps on 11i V2.
— The template does not detect secure shell (ssh) logins and logouts by ssh
daemons that do not log successful ssh logins and logouts to wtmp on 11i V1 and
wtmps on 11i V2. ssh daemons with the UsePAM configuration value set to No in
order to log successful ssh logins and logouts to wtmp.
argv[5] <Empty> n/a n/a This field is
empty
argv[6] <Empty> n/a n/a This field is
empty
argv[7] Summary String Successful su session Alert summary
argv[8] Details String User <username_from> switched to user
<username_to> on tty <tty>
Detailed alert
description
argv[9] Local
Time
Integer <secs> Local time in
number of
seconds since
epoch when a
successful su
event occurred.
argv[10] Flag Integer 2 Indicates an su
alert versus a
login/logout
alert
argv[11] Device String <tty> The tty from
which a
successful su
attempt was
made
argv[12] From String <username> The name of the
user attempting
to use the su
command
argv[13] To String <username> The target user
of the su
command
Table A-21 Successful su Detected Alert Properties (Continued)
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description