################### # Logging succeed # ################### #Jul 18 17:12:49 hids su: afonyashin to root on /dev/ttyp0 regex=su: (\S+) to root on (\S+); \ classification.text=Admin login; \ id=10000; \ revision=1; \ analyzer(0).name=su; \ analyzer(0).class=Authentication; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment..impact.severity=medium; \ assessment.impact.description=User $1 authenticated to $2 successfully; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(0).tty=$2; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0)..user.user_id(0).name=root; \ target(0).user.user_id(0).number=0; \ last; #Jul 18 17:12:49 hids su: afonyashin to alice on /dev/ttyp0 regex=su: (\S+) to (\S+) on (\S+); \ classification.text=User Authentication; \ id=10001; \ revision=1; \ analyzer(0).name=su; \ analyzer(0).class=Authentication; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=low; \ assessment.impact.description=User $1 authenticated to $2 successfully; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(0).tty=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last; ################ # Login failed # ################ #Jul 18 17:12:44 hids su: BAD SU afonyashin to root on /dev/ttyp0 regex=su: BAD SU (\S+) to root on (\S+); \ classification.text=Admin login; \ id=10002; \ revision=1; \ analyzer(0).name=su; \ analyzer(0).class=Authentication; \ assessment.impact.completion=failed; \ assessment..impact.type=admin; \ assessment.impact.severity=medium; \ assessment.impact.description=User $1 tried to authenticate as root and failed; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(0).tty=$2; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=root; \ target(0).user.user_id(0).number=0; \ last; #Jul 18 17:12:44 hids su: BAD SU afonyashin to alice on /dev/ttyp0 regex=su: BAD SU (\S+) to (\S+) on (\S+); \ classification.text=User Authentication; \ id=10003; \ revision=1; \ analyzer(0).name=su; \ analyzer(0).class=Authentication; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description=User $1 tried to authenticate as $2 and failed; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(0).tty=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last;