HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
and logouts to wtmp(s) or btmp(s), you must set the permissions of the
wtmp(s) or btmp(s) file to 600.
— On HP–UX 11i v1, failed ftp logins are only detected when WU-FTPD 2.6.1
(available on http://software.hp.com) is installed. Previous versions of ftp on
HP–UX 11iv1 do not log failed attempts to btmp.
Repeated Failed su Commands Template
The vulnerability addressed by this template
The system su(1) command allows one user to assume the identity of another user by
entering that user’s password. An attacker can attempt to gain superuser (root) privileges
by running the su command and guessing the superuser password.
How this template addresses the vulnerability
The template monitors for repeated failed attempts to change user IDs. The template
generates an alert when a given number of failed change user ID attempts occurs for
a specified target user.
How this template is configured
Table A-24 lists the configurable properties that this template supports.
Table A-24 Repeated Failed su Commands Template Properties
DescriptionDefault ValueTypeName
The number of failed su attempts
that are exceeded by a user to use the
su command.
2VIII
max_failed_su
The time interval over which the
failed su attempts must occur to
generate an alert.
The default settings cause an alert to
be generated when more than two
su failures by a user occur within 24
hours (1440 minutes = 24 hours).
1440 minutesVI
fail_interval
A high severity alert is generated
when a user fails to switch to a user
with a user ID or user name in this
list.
root ids
III
priv_user_list
Alerts generated by this template
Repeated Failed su Attempts
Table A-25 lists the alert properties the Repeated Failed su Attempts template generates
and forwards to a response program when repeated failed su attempts are detected.
188 Templates and Alerts