prelude-lml-rules 4.1.0-1 / etc / prelude-lml / ruleset / su.rules

This file is indexed.

/etc/prelude-lml/ruleset/su.rules is in prelude-lml-rules 4.1.0-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#FULLNAME: su
#VERSION: 1.0
#DESCRIPTION: The Unix command su is used by a computer user to execute a command with the privileges of another user account.

#####
#
# Copyright (C) 2016-2017 CS-SI <support.prelude@c-s.fr>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
#####

#DESCRIPTION:Logon process to root on
#CATEGORY:Authentication
regex=to root on; \
 id=10003; \
 assessment.impact.type=admin; \
 target(0).user.user_id(0).number=0; \
 chained; silent

#DESCRIPTION:Logon process to root on
#CATEGORY:Authentication
#LOG:Jul 18 17:12:49 hids su: afonyashin to root on /dev/ttyp0
#LOG:Jul 18 17:12:49 hids su: afonyashin to alice on /dev/ttyp0
optgoto=10003; regex=su: (\S+) to (\S+) on (\S+); \
 classification.text=Credentials Change; \
 id=10000; \
 revision=1; \
 analyzer(0).name=su; \
 analyzer(0).manufacturer=GNU; \
 analyzer(0).class=Authentication; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.severity=low; \
 assessment.impact.description=User $1 authenticated to $2 successfully; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(0).tty=$3; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$2; \
 last

#DESCRIPTION:Login failed
#CATEGORY:Authentication
#LOG:Jul 18 17:12:44 hids su: BAD SU afonyashin to root on /dev/ttyp0
#LOG:Jul 18 17:12:44 hids su: BAD SU afonyashin to alice on /dev/ttyp0
regex=su: BAD SU (\S+) to (\S+) on (\S+); \
 classification.text=Credentials Change; \
 optgoto=10003; \
 id=10002; \
 revision=1; \
 analyzer(0).name=su; \
 analyzer(0).manufacturer=GNU; \
 analyzer(0).class=Authentication; \
 assessment.impact.completion=failed; \
 assessment.impact.type=user; \
 assessment.impact.severity=high; \
 assessment.impact.description=User $1 tried to authenticate as $2 and failed; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(0).tty=$3; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$2; \
 last

APT Browse - Built by Thomas Orozco.