################### # Logging succeed # ################### regex=to root on; \ id=10003; \ assessment.impact.type=admin; \ target(0).user.user_id(0).number=0; \ chained; silent; #LOG: Jul 18 17:12:49 hids su: afonyashin to root on /dev/ttyp0 #LOG: Jul 18 17:12:49 hids su: afonyashin to alice on /dev/ttyp0 optgoto=10003; regex=su: (\S+) to (\S+) on (\S+); \ classification.text=Credentials Change; \ id=10000; \ revision=1; \ analyzer(0).name=su; \ analyzer(0).class=Authentication; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=low; \ assessment.impact.description=User $1 authenticated to $2 successfully; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(0).tty=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last; ################ # Login failed # ################ #LOG: Jul 18 17:12:44 hids su: BAD SU afonyashin to root on /dev/ttyp0 #LOG: Jul 18 17:12:44 hids su: BAD SU afonyashin to alice on /dev/ttyp0 regex=su: BAD SU (\S+) to (\S+) on (\S+); \ classification.text=Credentials Change; optgoto=10003; \ id=10002; \ revision=1; \ analyzer(0).name=su; \ analyzer(0).class=Authentication; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=high; \ assessment.impact.description=User $1 tried to authenticate as $2 and failed; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(0).tty=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last;