HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)
Table 33 Login/Logout Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse
Program
Argument
Detailed alert descriptionUser <username> logged-in on
<pty> (REMOTE: <fully qualified host
name> <IP address>)orUser
<username> logged-out from a
session on <pty>
StringDetailsargv[8]
The event that triggered
the alert.
Following are the possible values:
• Login
• Logout
StringEventargv[9]
Indicates a login/logout
alert versus an su alert
1IntegerFlagargv[10]
Name of user that logged
in or logged out
<username>StringUserargv[11]
Name of pty device
associated with login
session
<pty device name>StringDeviceargv[12]
Name of remote host from
which login was initiated
<remote hostname>StringHostnameargv[13]
IP address of remote host
from which login was
initiated
<A.B.C.D> for IPv4 addresses
<A:B:C:D:...> for IPv6 addresses
StringIP Addressargv[14]
Successful su Detected
Table A-24 lists the alert properties this template generates and forwards to a response program
when a successful switch user (su) command is executed.
Table 34 Successful su Detected Alert Properties
DescriptionAlert Value/FormatAlert Field TypeAlert FieldResponse
Program
Argument
Unique code assigned to
template
7IntegerTemplate codeargv[1]
Template version<version>IntegerVersionargv[2]
Alert severity2 for users listed in
priv_user_list property; 3 for all
other users
IntegerSeverityargv[3]
UTC time in number of
seconds since the epoch
when a successful su
event occurred.
<secs>IntegerUTC Timeargv[4]
Name of the user who is
attempting to use the su
command,
<username>StringAttackerargv[5]
The target user of the su
command
<username>StringTargetargv[6]
Alert summarySuccessful su sessionStringSummaryargv[7]
Detailed alert descriptionUser <username_from> switched to
user <username_to> on tty <tty>
StringDetailsargv[8]
142 Templates and Alerts