HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

Limitations

The Repeated Failed Logins template has the following limitations:

• The template only detects failed logins that are logged to btmp.

◦ The template does not detect failed secure ftp (sftp) logins because the ssh daemon logs

failed sftp logins using syslog( 3C) instead of logging them to btmps on HP–UX 11i v2

and HP-UX 11i v3.

◦ The template does not detect failed secure shell (ssh) logins by ssh daemons that do not

log failed ssh logins to btmp(s) on HP–UX 11i v2 and HP-UX 11i v3. To enable Secure

Shell to log failed logins and logouts to wtmp(s) or btmp(s), you must set the

permissions of the wtmp(s) or btmp(s) file to 600.

Repeated Failed su Commands Template

The vulnerability addressed by this template

The system su(1) command allows one user to assume the identity of another user by entering that

user’s password. An attacker can attempt to gain superuser (root) privileges by running the su

command and guessing the superuser password.

How this template addresses the vulnerability

The template monitors for repeated failed attempts to change user IDs. The template generates an

alert when a given number of failed change user ID attempts occurs for a specified target user.

How this template is configured

Table A-27 lists the configurable properties that this template supports.

Table 37 Repeated Failed su Commands Template Properties

DescriptionDefault ValueTypeName

The number of failed su attempts that are

exceeded by a user to use the su

command.

2VIIImax_failed_su

The time interval over which the failed su

attempts must occur to generate an alert.

The default settings cause an alert to be

generated when more than two su failures

by a user occur within 24 hours (1440

minutes = 24 hours).

1440 minutesVIfail_interval

A high severity alert is generated when a

user fails to switch to a user with a user

ID or user name in this list.

root idsIIIpriv_user_list

Alerts generated by this template

NOTE: Configuring of Repeated Failed su Commands Template is not supported for HP-UX

Containers, but can be configured for Global (init) Container.

Repeated Failed su Attempts

Table A-28 lists the alert properties the Repeated Failed su Attempts template generates and

forwards to a response program when repeated failed su attempts are detected.

146 Templates and Alerts