HIDS 5302

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

5302

Status

User missed the password to change UID to root.

Description

This event occurs when a user attempts to switch user contexts to the root account using the 'su root' command and types the wrong root password.

Guidance

Repeated instances of this event could indicate attempted system abuse.

False Positives

There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.

If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

Similar Rules

5301

Knowledge Base Articles

None.

Outside References

None.

Personal tools