Host Intrusion Detection System Administrator's Guide Release 3.1

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

191

192

193

194

195

196

197

198

199

200

Templates and Alerts

Repeated Failed su Commands Template

Appendix A

181

Limitations None

argv[3] Severity Integer 2 if one of the targets is user root or

IDs.

3 otherwise.

Alert Severity

argv[4] UTC

Time

Integer <secs> UTC time in number of

seconds since epoch when

more than

<max_failed_su>

number of failed su

attempts were detected

for a particular user

argv[5] <empty> n/a User <username> had more than

<max_failed_su> failed su attempts

in the past <number> [second |

minute | hour | day | week].

Targets were [ <username>

<username> .... ]

This ﬁeld is empty

argv[6] <empty> n/a n/a This ﬁeld is empty

argv[7] Summary String Failed su attempts Alert summary

argv[8] Details String User <username> had more than

<max_failed_su> failed su attempts

in the past <value> days. Targets

was [username]

Detailed alert description

argv[9] Local

Time

Integer <secs> Local time in number of

seconds since epoch when

more than

<max_failed_su>

number of failed su

attempts were detected

for a particular user

argv[10] Flag Integer 2 Indicates a failed su alert

versus a failed login alert

argv[11] Device String <tty> The tty from which a

failed su attempt was

made

argv[12] From String <username> The name of the user

attempting to su

argv[13] To String <username> The target user of the last

failed su attempt

Table A-25 Repeated Failed Su Attempts Alert Properties (Continued)

Response

Program

Argument

Alert

Field

Alert

Field

Type

Alert Value/Format Description