Identifying Logs (Doc 1)¶
When users use su:
| su | su root | su [username] | |
|---|---|---|---|
| Successful | Log input: su: (to root) <username> on pts/<n>Identifying Symbol: + | Log input: su: (to root) <username> on pts/<n>Identifying Symbol: + | Log input: su: (to <victim_username>) <username> on pts/<n>Identifying Symbol: – |
| Unsuccessful | Log input: su: FAILED SU (to root) <username> on pts/<n>Identifying Symbol: * | Log input: su: FAILED SU (to root) <username> on pts/<n>Identifying Symbol: * | Log input: su: FAILED SU (to <victim_username>) <username> on pts/<n>Identifying Symbol: / |
When users use sudo su:
| sudo su | sudo su root | sudo su [username] | |
|---|---|---|---|
| Successful | Log input (line 1): sudo: <username> : TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/suLog input (line 3): su: (to root) <username> on pts/<n>Note 1 (refer to Info block below table) Identifying Symbol: + | Log input (line 1): sudo: <username> : TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/su rootLog input (line 3): su: (to root) <username> on pts/<n>Note 1 (refer to Info block below table) Identifying Symbol: + | Log input (line 1): sudo: <username> : TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/su <victim_username>Log input (line 3): su: (to <victim_username>) <username> on pts/<n>Note 1 (refer to Info block below table) Identifying Symbol: – |
| Unsuccessful (even if <username> does not exist) | Log input: sudo: <username> : <n> incorrect password attempt ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/suIdentifying Symbol: * | Log input: sudo: <username> : <n> incorrect password attempt ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/su rootIdentifying Symbol: * | Log input: sudo: <username> : <n> incorrect password attempt ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/su <victim_username>Identifying Symbol: / |
| Successful attempt when <username> does not exist | N/A | N/A | Log input: ............... Identifying Symbol: N/A (we want it to be /) (future fix) |
Note 1
The script uses “Log input (line 3)”, because “line 3” is exactly the same for the above table (the su table). Since the script looks for “line 3” when the su command is used, if it looks for “line 1” when sudo is used, it would cause the script to identify the user twice as many times
Other sudo alternatives:
| sudo -i | sudo bash | |
|---|---|---|
| Successful | Log input: sudo: <username> : TTY=<n> ; PWD= <pwd> ; USER=root ; COMMAND=<shell path>Identifying Symbol: + | Log input: sudo: <username> : TTY=<n> ; PWD= <pwd> ; USER=root ; COMMAND=<shell path>Identifying Symbol: + |
| Unsuccessful | Log input: sudo: <username> : <n> incorrect password attempts ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=<shell path>Identifying Symbol: * | Log input: sudo: <username> : <n> incorrect password attempts ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=<shell path>Identifying Symbol: * |
When users who don't have sudo power use sudo:
| sudo [command] | |
|---|---|
| Sudo used when <username> is not in the sudoers file | Log input: sudo: <username> : user NOT in sudoers ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=<command execution path>Identifying Symbol: ~ |
Last update: March 28, 2021