Difference between revisions of "HIDS 5302"
(Created page with "'''Rule ID''' 5302 '''Status''' User missed the password to change UID to root. '''Description''' This event occurs when a user attempts to 'su root' and types the wro...") |
|||
Line 9: | Line 9: | ||
'''Description''' | '''Description''' | ||
− | This event occurs when a user attempts to 'su root' and types the wrong root password. | + | This event occurs when a user attempts to switch user contexts to the root account using the 'su root' command and types the wrong root password. |
'''Guidance''' | '''Guidance''' |
Latest revision as of 01:20, 30 March 2021
Rule ID
5302
Status
User missed the password to change UID to root.
Description
This event occurs when a user attempts to switch user contexts to the root account using the 'su root' command and types the wrong root password.
Guidance
Repeated instances of this event could indicate attempted system abuse.
False Positives
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.
Similar Rules
5301
Knowledge Base Articles
None.
Outside References
None.