Manualshelf

HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
141142143144145146147148149150
Table 36 Failed Login Attempts Alert Properties (continued)
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse Program
Argument
detected for a particular
target login account
Name or IP address of the
host from which the user
logged in or out.
<fully qualified host name>
<IP Address>
StringAttackerargv[5]
Name of the user who
logged in or out.
<username>StringTargetargv[6]
Alert summaryFailed login attemptsStringSummaryargv[7]
Detailed alert descriptionMore than <max_failed_login>
failed logins by user <username>
StringDetailsargv[8]
(REMOTE: <fully qualified host
name> <IP address>)
The event that triggered the
alert.
Failed loginStringEventargv[9]
Indicates a failed login alert
versus a failed su alert
1IntegerFlagargv[10]
Target login name that a
user was attempting to log
in as
<username>StringUserargv[11]
Name of pty device
associated with failed login
attempt
<pty device name>StringDeviceargv[12]
Name of remote host from
which login was attempted
<remote hostname>StringHostnameargv[13]
IP address of remote host
from which login was
attempted
<A.B.C.D> for IPv4 addresses
A:B:C:D:... for IPv6 addresses
StringIP Addressargv[14]
Limitations
The Repeated Failed Logins template has the following limitations:
The template only detects failed logins that are logged to btmp.
The template does not detect failed secure ftp (sftp) logins because the ssh daemon logs
failed sftp logins using syslog( 3C) instead of logging them to btmps on HP–UX 11i v2
and HP-UX 11i v3.
The template does not detect failed secure shell (ssh) logins by ssh daemons that do not
log failed ssh logins to btmp(s) on HP–UX 11i v2 and HP-UX 11i v3. To enable Secure
Shell to log failed logins and logouts to wtmp(s) or btmp(s), you must set the
permissions of the wtmp(s) or btmp(s) file to 600.
Repeated Failed su Commands Template
The vulnerability addressed by this template
The system su(1) command allows one user to assume the identity of another user by entering that
user’s password. An attacker can attempt to gain superuser (root) privileges by running the su
command and guessing the superuser password.
Repeated Failed su Commands Template 143