Identifying Logs (Doc 2)¶
When users use su:
| su | su root | su [username] | |
|---|---|---|---|
| Successful | Log input: Successful su for root by <username>Identifying Symbol: + | Log input: Successful su for root by <username>Identifying Symbol: + | Log input: Successful su for <victim_username> by <username>Identifying Symbol: – |
| Unsuccessful | Log input: FAILED su for root by <username>Identifying Symbol: * | Log input: FAILED su for root by <username>Identifying Symbol: * | Log input: FAILED su for <victim_username> by <username>Identifying Symbol: / |
| Successful attempt when <username> does not exist | N/A | N/A | Log input: FAILED su for <victim_username> by <username>Identifying Symbol: / |
When users use sudo su:
| sudo su | sudo su root | sudo su [username] | |
|---|---|---|---|
| Successful | Log input: <username> : TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/suIdentifying Symbol: + | Log input: <username> : TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/su rootIdentifying Symbol: + | Log input: <username> : TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/su <victim_username>Identifying Symbol: - |
| Unsuccessful (even if <username> does not exist) | Log input: <username> : <n> incorrect password attempt ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/suIdentifying Symbol: * | Log input: <username> : <n> incorrect password attempt ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/su rootIdentifying Symbol: * | Log input: <username> : <n> incorrect password attempt ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=/bin/su <victim_username>Identifying Symbol: / |
| Successful attempt when <username> does not exist | N/A | N/A | Log input: ............... Identifying Symbol: - (but we want it to be /) (future fix) |
Other sudo alternatives:
| sudo -i | sudo bash | |
|---|---|---|
| Successful | Log input: <username> : TTY=<n> ; PWD= <pwd> ; USER=root ; COMMAND=<shell path>Identifying Symbol: + | Log input: <username> : TTY=<n> ; PWD= <pwd> ; USER=root ; COMMAND=<shell path>Identifying Symbol: + |
| Unsuccessful | Log input: <username> : <n> incorrect password attempts ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=<shell path>Identifying Symbol: * | Log input: <username> : <n> incorrect password attempts ; TTY=<n> ; PWD=<pwd> ; USER=root ; COMMAND=<shell path>Identifying Symbol: * |
When users who don't have sudo power use sudo:
| sudo [command] | |
|---|---|
| Sudo used when <username> is not in the sudoers file | Log input: <username> : TTY=<n> ; user NOT in sudoers ; PWD=<pwd> ; USER=root ; COMMAND=<command execution path>Identifying Symbol: ~ |
Last update: March 28, 2021