HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
How this template addresses the vulnerability
The template monitors for repeated failed attempts to change user IDs. The template generates an
alert when a given number of failed change user ID attempts occurs for a specified target user.
How this template is configured
Table A-27 lists the configurable properties that this template supports.
Table 37 Repeated Failed su Commands Template Properties
DescriptionDefault ValueTypeName
The number of failed su attempts that are
exceeded by a user to use the su
command.
2VIIImax_failed_su
The time interval over which the failed su
attempts must occur to generate an alert.
1440 minutesVIfail_interval
The default settings cause an alert to be
generated when more than two su failures
by a user occur within 24 hours (1440
minutes = 24 hours).
A high severity alert is generated when a
user fails to switch to a user with a user
ID or user name in this list.
root idsIIIpriv_user_list
Alerts generated by this template
NOTE: Configuring of Repeated Failed su Commands Template is not supported for HP-UX
Containers, but can be configured for Global (init) Container.
Repeated Failed su Attempts
Table A-28 lists the alert properties the Repeated Failed su Attempts template generates and
forwards to a response program when repeated failed su attempts are detected.
Table 38 Repeated Failed Su Attempts Alert Properties
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to template9IntegerTemplate codeargv[1]
Template version<version>IntegerVersionargv[2]
Alert severity2 for users listed in the
priv_user_list property. 3 for
all other users.
IntegerSeverityargv[3]
UTC time in number of seconds
since the epoch when more than
<secs>IntegerUTC timeargv[4]
<max_failed_su> number of failed
su attempts were detected for a
particular user
The name of the user attempting to
su.
<username>StringAttackerargv[5]
The target user of the last failed su
attempt
<username>StringTargetargv[6]
Alert summaryFailed su attemptsStringSummaryargv[7]
144 Templates and Alerts