HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Table A-21 Successful su Detected Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
The target user of the
su command
<username>
StringTargetargv[6]
Alert summarySuccessful su sessionStringSummaryargv[7]
Detailed alert
description
User <username_from>
switched to user
<username_to> on tty <tty>
StringDetailsargv[8]
The event that
triggered the alert.
Switch-user (su)StringEventargv[9]
Indicates an su alert
versus a login/logout
alert
2IntegerFlagargv[10]
The tty from which a
successful su attempt
was made
<tty>
StringDeviceargv[11]
The name of the user
attempting to use the
su command
<username>
StringFromargv[12]
The target user of the
su command
<username>
StringToargv[13]
Limitations
The Login/Logout template has the following limitations:
• The template only detects logins and logouts that are logged to wtmp:
— The template does not detect successful secure ftp (sftp) logins and logouts
because the ssh daemon logs successful sftp logins and logouts using
syslog(3C) instead of logging them to wtmp on HP–UX 11i v1 and wtmps on
HP–UX 11i v2 and HP-UX 11i v3.
— The template does not detect secure shell (ssh) logins and logouts by ssh
daemons that do not log successful ssh logins and logouts to wtmp on HP–UX
11i v1 and wtmps on HP–UX 11i v2 and HP-UX 11i v3. To enable Secure Shell
to log failed logins and logouts to wtmp(s) or btmp(s), you must set the
permissions of the wtmp(s) or btmp(s) file to 600.
• Because the login name (ut_user in a utmp structure) is not available for a logout
event, the template retrieves the login name from the wtmp log. If the log has been
cleared, the template creates a logout alert that does not contain the user name,
only the device on which the logout occurred.
184 Templates and Alerts