HP-UX Host Intrusion Detection System Version 4.1 Administrator's Guide
Table A-25 Repeated Failed Su Attempts Alert Properties
DescriptionAlert Value/FormatAlert
Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to
template
9IntegerTemplate
code
argv[1]
Template version3IntegerVersionargv[2]
Alert severity2 for users listed in the
priv_user_list property. 3
for all other users.
IntegerSeverityargv[3]
UTC time in number of
seconds since the epoch when
more than <max_failed_su>
number of failed su attempts
were detected for a particular
user
<secs>
IntegerUTC timeargv[4]
The name of the user
attempting to su.
<username>
StringAttackerargv[5]
The target user of the last
failed su attempt
<username>
StringTargetargv[6]
Alert summaryFailed su attemptsStringSummaryargv[7]
Detailed alert description
User <username> had more
than <max_failed_su> failed
su attempts in the past
<number> [second | minute |
hour | day | week]. Targets
were [ <username>
<username> .... ]
StringDetailsargv[8]
The event that triggered the
alert.
Failed switch-user (su)
StringEventargv[9]
Indicates a failed su alert
versus a failed login alert
2IntegerFlagargv[10]
The tty from which a failed su
attempt was made
<tty>
StringDeviceargv[11]
The name of the user
attempting to su
<username>
StringFromargv[12]
The target user of the last
failed su attempt
<username>
StringToargv[13]
Limitations
The Repeated Failed su Commands Template has no limitations.
Repeated Failed su Commands Template 189