.N UNX Login #Policy Name .L 2 #Policy structure .D Detects UNX logins, categorized by login type and OS. #Policy Description .V 1022778168 #Policy revision number .Z 411 #Policy ID .Z 411 #Policy ID .R Telnet on Solaris #Rule Definition ..D Detects a Telnet login (except root) on Solaris. #Rule Description ..Z 407 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 405 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *User Logged in*telnet_login* #Regular text ....C 0 #Case sensitivity ....Z 404 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 406 #ID of the clause .R Rlogin on Solaris #Rule Definition ..D Detects an rlogin (except root) on Solaris. #Rule Description ..Z 326 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 324 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *User Logged in*rlogin_login* #Regular text ....C 0 #Case sensitivity ....Z 323 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 325 #ID of the clause .R Rlogin on Sol, HP, AIX, Linux #Rule Definition ..D Detects a remote login by Xwin (Solaris, HP-UX), Telnet (HP-UX, AIX, Linux), and Rlogin (HP-UX, AIX, Linux). #Rule Description ..Z 322 #Rule ID ..K #Rule And Select logic ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 320 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *LOGIN ON pts/*BY*FROM* #Regular text ....T *User Logged in*remote_login* #Regular text ....C 0 #Case sensitivity ....Z 319 #ID of the clause ..S #Select Clause(s) ...B Flag #Flag(S) ....A #AND values in data field ....I 316 #ID list ....F 316 #Flag list ....Z 318 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 321 #ID of the clause .R Root Telnet on Solaris #Rule Definition ..D Detects a root Telnet login on Solaris. #Rule Description ..Z 358 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *User Logged in*root*telnet_login* #Regular text ....C 0 #Case sensitivity ....Z 356 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 357 #ID of the clause .R Root Rlogin on Solaris #Rule Definition ..D Detects a root rlogin on Solaris. #Rule Description ..Z 351 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *User Logged in*root*rlogin_login* #Regular text ....C 0 #Case sensitivity ....Z 349 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 350 #ID of the clause .R FTP on Other Linux #Rule Definition ..D Detects an FTP login (except root) on Slackware 7.1. #Rule Description ..Z 293 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 291 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *ftpd[*]: FTP LOGIN FROM* #Regular text ....C 0 #Case sensitivity ....Z 290 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 292 #ID of the clause .R Root FTP on Sol,HP 10, AIX,Linu #Rule Definition ..D Detects a root FTP login on Solaris and HP-UX 10.2, and AIX 4.3.2, 4.3.1, and Linux RedHat 6.2, 7.0. #Rule Description ..Z 336 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *User Logged in*root*ftp_login* #Regular text ....C 0 #Case sensitivity ....Z 334 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 335 #ID of the clause .R Root Local on Other Linux #Rule Definition ..D Detects a root local/console login on RedHat, Mandrake, and Slackware Linux. #Rule Description ..Z 340 #Rule ID ..J #Rule And Ignore logic ..K #Rule And Select logic ..V 50 #Rule Value ..I #Ignore Clause(s) ...B Flag #Flag(S) ....I 343 #ID list ....F 343 #Flag list ....Z 338 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *-- root[*]: ROOT LOGIN ON tty* #Regular text ....T *-- root[*]: ROOT LOGIN ON vc/* #Regular text ....C 0 #Case sensitivity ....Z 337 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 339 #ID of the clause .R Local on Other Linux #Rule Definition ..D Detects a local/console login (except root) on Mandrake. #Rule Description ..Z 306 #Rule ID ..J #Rule And Ignore logic ..K #Rule And Select logic ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 304 #ID of the clause ..I #Ignore Clause(s) ...B Flag #Flag(S) ....I 397, 316, 409 #ID list ....F 397 #Flag list ....F 316 #Flag list ....F 409 #Flag list ....Z 303 #ID of the clause ..S #Select Clause(s) ...B Flag #Flag(S) ....I 299 #ID list ....F 299 #Flag list ....Z 301 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 305 #ID of the clause .R SU to Another on Solaris #Rule Definition ..D Detects SU to another user (except root) on Solaris. #Rule Description ..Z 376 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 374 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *su:*succeeded for*on* #Regular text ....C 0 #Case sensitivity ....Z 373 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 375 #ID of the clause .R FTP on HP 11 #Rule Definition ..D Detects an FTP login (except root) on HP-UX 11. #Rule Description ..Z 289 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 287 #ID of the clause ..I #Ignore Clause(s) ...E Rule #Rule(s) ....I 293 #ID list ....Z 286 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *general syslog msg*FTP LOGIN FROM* #Regular text ....C 0 #Case sensitivity ....Z 285 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 288 #ID of the clause .R Root FTP on HP 11 #Rule Definition ..D Detects a root FTP login on HP-UX 11. #Rule Description ..Z 330 #Rule ID ..V 50 #Rule Value ..I #Ignore Clause(s) ...E Rule #Rule(s) ....I 336 #ID list ....Z 328 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *general syslog msg*FTP LOGIN FROM*root* #Regular text ....C 0 #Case sensitivity ....Z 327 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 329 #ID of the clause .R SU to Another on HP #Rule Definition ..D Detects SU to another user (except root) on HP-UX. #Rule Description ..Z 366 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 364 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *successful SU to another user*su : +* #Regular text ....C 0 #Case sensitivity ....Z 363 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 365 #ID of the clause .R SU to Root on Other Linux #Rule Definition ..D Detects SU to root on Linux Red Hat 7.1 and up, Mandrake 8.0 and up, and Slackware 7.1 and 8.0. #Rule Description ..Z 392 #Rule ID ..V 50 #Rule Value ..I #Ignore Clause(s) ...B Remote Login Flag #Flag(S) ....I 313 #ID list ....F 313 #Flag list ....Z 389 #ID of the clause ..I #Ignore Clause(s) ...B Root Login Flag #Flag(S) ....I 343 #ID list ....F 343 #Flag list ....Z 390 #ID of the clause ..S #Select Clause(s) ...G Mandrake #System Message ....T *su(pam_unix)[*]: session opened for user root* #Regular text ....C 0 #Case sensitivity ....Z 387 #ID of the clause ..S #Select Clause(s) ...G Slackware 7.1 #System Message ....T *su[*]: + pts/*-root* #Regular text ....C 1 #Case sensitivity ....Z 388 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 391 #ID of the clause .R SU to Another on AIX #Rule Definition ..D Detects SU to another user (except root) on AIX. #Rule Description ..Z 362 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 360 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *successful SU to another user*su: from*to* #Regular text ....C 0 #Case sensitivity ....Z 359 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 361 #ID of the clause .R SU to Root on Solaris #Rule Definition ..D Detects SU to root on Solaris. #Rule Description ..Z 395 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *su:*su root*succeeded for*on* #Regular text ....C 0 #Case sensitivity ....Z 393 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 394 #ID of the clause .R SU to Root on HP #Rule Definition ..D Detects SU to root on HP-UX. #Rule Description ..Z 380 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *successful SU to another user*su : +*root* #Regular text ....C 0 #Case sensitivity ....Z 378 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 379 #ID of the clause .R SU to Root on AIX #Rule Definition ..D Detects SU to root on AIX. #Rule Description ..Z 377 #Rule ID ..V 0 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *successful SU to another user*su: from*to root* #Regular text ....C 0 #Case sensitivity ....Z 2531 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 2532 #ID of the clause .R Remote Login Flag #Rule Definition ..D Detects a remote request to xinetd and raises a flag. #Rule Description ..Z 314 #Rule ID ..V 0 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *xinetd[*]: START: * #Regular text ....C 0 #Case sensitivity ....Z 312 #ID of the clause ..A #Action Clause(s) ...B Remote Login Flag #Raise Flag ....L 30 #Lifetime of flag ....Z 313 #ID of the clause .R Root Rlogin on Sol, HP, AIX, Li #Rule Definition ..D Detects a root remote login by Rlogin. #Rule Description ..Z 348 #Rule ID ..K #Rule And Select logic ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *login(pam_unix)[*]: session opened for user* #Regular text ....T *User Logged in*root*remote_login* #Regular text ....C 0 #Case sensitivity ....Z 346 #ID of the clause ..S #Select Clause(s) ...B Flag #Flag(S) ....I 316 #ID list ....F 316 #Flag list ....Z 345 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 347 #ID of the clause .R FTP on Sol, HP 10, AIX, Linux #Rule Definition ..D Detects an FTP login (except root) on Solaris, HP-UX 10.2, and AIX 4.3.2, 4.3.1, and Linux RedHat 6.2, 7.0. #Rule Description ..Z 297 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 295 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *User Logged in*ftp_login* #Regular text ....C 0 #Case sensitivity ....Z 294 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 296 #ID of the clause .R Root FTP on Other Linux #Rule Definition ..D Detects a root FTP login on Solaris and HP-UX 10.2, and AIX 4.3.2, 4.3.1, and Linux RedHat 6.2, 7.0. #Rule Description ..Z 333 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *ftpd[*]: FTP LOGIN FROM*, root* #Regular text ....C 0 #Case sensitivity ....Z 331 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 332 #ID of the clause .R Root Local on Sol, HP, Linux #Rule Definition ..D Detects a root local/console login on Solaris, HP-UX, and Linux. #Rule Description ..Z 344 #Rule ID ..J #Rule And Ignore logic ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *User Logged in*root*local_login* #Regular text ....C 0 #Case sensitivity ....Z 341 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 342 #ID of the clause ..A #Action Clause(s) ...B Root Local Flag #Raise Flag ....L 20 #Lifetime of flag ....Z 343 #ID of the clause .R SU to Root on Linux #Rule Definition ..D Detects SU to root on Linux Red Hat 6.2 and 7.0 server. #Rule Description ..Z 386 #Rule ID ..V 50 #Rule Value ..I #Ignore Clause(s) ...B Remote Login Flag #Flag(S) ....I 313 #ID list ....F 313 #Flag list ....Z 383 #ID of the clause ..I #Ignore Clause(s) ...B Root Local Flag #Flag(S) ....I 343 #ID list ....F 343 #Flag list ....Z 384 #ID of the clause ..S #Select Clause(s) ...G RedHat 6.2 & 7.0 #System Message ....T *(su) session opened for user root* #Regular text ....C 0 #Case sensitivity ....Z 381 #ID of the clause ..S #Select Clause(s) ...G Unpatched RedHat 7.0 #System Message ....T *(system-auth) session opened for user root by* #Regular text ....C 0 #Case sensitivity ....Z 382 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 385 #ID of the clause .R Local on Sol, HP, Linux #Rule Definition ..D Detects a local/console login (except root) on Solaris, HP-UX, and Linux. #Rule Description ..Z 311 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 309 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *User Logged in*local_login* #Regular text ....C 0 #Case sensitivity ....Z 308 #ID of the clause ..S #Select Clause(s) ...B Flag #Flag(S) ....I 299 #ID list ....F 299 #Flag list ....Z 603 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 310 #ID of the clause .R Telnet Flag #Rule Definition ..D Detects calls to the telnet daemon an raises a flag. #Rule Description ..Z 398 #Rule ID ..V 0 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *in.telnetd[*]: connect from* #Regular text ....T *in.telnetd[*]: connected from* #Regular text ....T *xinetd[*]: START: telnet* #Regular text ....C 0 #Case sensitivity ....Z 396 #ID of the clause ..A #Action Clause(s) ...B Telnet Flag #Raise Flag ....L 10 #Lifetime of flag ....Z 397 #ID of the clause .R Xinetd Flag #Rule Definition ..D Detects calls to start xinetd services. #Rule Description ..Z 410 #Rule ID ..V 0 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *xinetd[*]: START: * #Regular text ....C 0 #Case sensitivity ....Z 408 #ID of the clause ..A #Action Clause(s) ...B Xinetd Flag #Raise Flag ....L 10 #Lifetime of flag ....R #Reset on trigger ....Z 409 #ID of the clause .R Rlogin Flag #Rule Definition ..D Detects calls to rlogin daemon and raises a flag. #Rule Description ..Z 317 #Rule ID ..V 0 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *in.rlogind[*]: connect from* #Regular text ....T *xinetd[*]: START: login* #Regular text ....C 0 #Case sensitivity ....Z 315 #ID of the clause ..A #Action Clause(s) ...B Rlogin Flag #Raise Flag ....L 10 #Lifetime of flag ....R #Reset on trigger ....Z 316 #ID of the clause .R Local Login Flag #Rule Definition ..D Detects local logins and raises a flag. #Rule Description ..Z 300 #Rule ID ..V 0 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *LOGIN ON vc/? BY * #Regular text ....T *User Logged in*local_login* #Regular text ....C 0 #Case sensitivity ....Z 298 #ID of the clause ..A #Action Clause(s) ...B Local Login Flag #Raise Flag ....L 10 #Lifetime of flag ....R #Reset on trigger ....Z 299 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 601 #ID of the clause .R Telnet on Sol, HP, AIX, Linux #Rule Definition ..D Detects a remote login by Telnet. #Rule Description ..Z 403 #Rule ID ..K #Rule And Select logic ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 401 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *login(pam_unix)[*]: session opened for user* #Regular text ....T *User Logged in*remote_login* #Regular text ....C 0 #Case sensitivity ....Z 400 #ID of the clause ..S #Select Clause(s) ...B Flag #Flag(S) ....I 397 #ID list ....F 397 #Flag list ....Z 399 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 402 #ID of the clause .R Root Telnet on Sol, HP, AIX, Li #Rule Definition ..D Detects a root remote login by Telnet. #Rule Description ..Z 355 #Rule ID ..K #Rule And Select logic ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *User Logged in*root*remote_login* #Regular text ....C 0 #Case sensitivity ....Z 353 #ID of the clause ..S #Select Clause(s) ...B Flag #Flag(S) ....I 397 #ID list ....F 397 #Flag list ....Z 352 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 354 #ID of the clause .R SU to Another on Linux #Rule Definition ..D Detects SU to another user (except root) on Red Hat 6.2, 7.0, 7.1, 7.2, Mandrake 8.0, 8.1, and 8.2, and Slackware 7.1 and 8.0. #Rule Description ..Z 372 #Rule ID ..V 20 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *root* #Regular text ....C 0 #Case sensitivity ....Z 370 #ID of the clause ..S #Select Clause(s) ...G RedHat 6.2 ,7.0,7.1, & 7.2 #System Message ....T *(su) session opened for user* #Regular text ....T *su(pam_unix)[*]: session opened for user * by * #Regular text ....C 0 #Case sensitivity ....Z 367 #ID of the clause ..S #Select Clause(s) ...G Unpatched RedHat 7.0 #System Message ....T *(system-auth) session opened for user* #Regular text ....C 0 #Case sensitivity ....Z 369 #ID of the clause ..S #Select Clause(s) ...G Slackware #System Message ....T *su[*]: + pts/* #Regular text ....C 0 #Case sensitivity ....Z 368 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 371 #ID of the clause