Host Intrusion Detection System Administrator's Guide Release 3.1
Templates and Alerts
Repeated Failed su Commands Template
Appendix A
180
Repeated Failed su Commands Template
The vulnerability
addressed by this
template
The system su(1) command allows one user to assume the identity of another user by
entering that user’s password. An attacker can attempt to gain superuser (root)
privileges by running the su command and guessing the superuser password.
How this template
addresses the
vulnerability
The template monitors for repeated failed attempts to change user IDs. The template
generates an alert when a given number of failed change user ID attempts occurs for a
specified target user.
How this template
is configured
Table A-24 lists the configurable properties that this template supports.
Properties A brief description about the configurable properties are listed below:
• Property: max_failed_su
The number of failed su attempts that are exceeded by a user to use the su
command.
• Property: fail_interval
The time interval over which the failed su attempts must occur to generate an alert.
The default settings cause an alert to be generated when more than two su failures
by a user occur within 24 hours (1440 minutes = 24 hours).
Alerts generated
by this template
See “Repeated Failed su Attempts” on page 180 for more information about the alerts
generated by this template.
Repeated Failed su Attempts
Table A-25 lists the alert that this template generates and forwards to a response
program when repeated failed su attempts are detected.
Table A-24 Repeated Failed su Commands Template Properties
Name Type Default Value
max_failed_su VIII 2
fail_interval VI 1440 minutes
Table A-25 Repeated Failed Su Attempts Alert Properties
Response
Program
Argument
Alert
Field
Alert
Field
Type
Alert Value/Format Description
argv[1] Template
code
Integer 9 Unique code assigned to
template
argv[2] Version Integer 2 Version of the template