Difference between revisions of "HIDS 5302"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "'''Rule ID''' 5302 '''Status''' User missed the password to change UID to root. '''Description''' This event occurs when a user attempts to 'su root' and types the wro...")
 
 
Line 9: Line 9:
 
'''Description'''   
 
'''Description'''   
  
This event occurs when a user attempts to 'su root' and types the wrong root password.
+
This event occurs when a user attempts to switch user contexts to the root account using the 'su root' command and types the wrong root password.
  
 
'''Guidance'''
 
'''Guidance'''

Latest revision as of 01:20, 30 March 2021

Rule ID

5302

Status

User missed the password to change UID to root.

Description

This event occurs when a user attempts to switch user contexts to the root account using the 'su root' command and types the wrong root password.

Guidance

Repeated instances of this event could indicate attempted system abuse.

False Positives

There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.

If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.

Similar Rules

5301

Knowledge Base Articles

None.

Outside References

None.

Personal tools