Important Notice: Our web hosting provider recently started charging us for additional visits, which was unexpected. In response, we're seeking donations. Depending on the situation, we may explore different monetization options for our Community and Expert Contributors. It's crucial to provide more returns for their expertise and offer more Expert Validated Answers or AI Validated Answers. Learn more about our hosting issue here.

How do I monitor failed attempts to ‘su’ to another user ID?

failed Id monitor user
0
Posted

How do I monitor failed attempts to ‘su’ to another user ID?

0 CommentsAdd a Comment

1 Answer

0

By default, the Bad su sentry is turned off as different versions and flavours of Linux log failed su attempts differently. By default the sentry uses the standard log file agent to monitor the messages file. For more information on this problem, please click here. Click again to hide information By default, the Bad su sentry is turned off because different versions and flavours of Linux log failed su attempts differently. By default the sentry uses the standard log file agent to monitor the messages file (/var/log/messages) for entries like: Jun 26 10:43:08 bink PAM_pwdb[12444] : 1 authentication failure; marks (uid=667) -> root for su service It does this by matching the following regular expression: n failure.*su service and then it extracts columns using the () operators in another regular expression: uid=([^\)]*)\) -> (.*) for su service This sets the first column to the uid and the second column to the target user. Firstly you should check to see whether the default configuration

0 CommentsAdd a Comment
What is your question?

*Sadly, we had to bring back ads too. Hopefully more targeted.

Experts123