Excessive failed su attempts for users (UNIX)

Module: Login Parameters

This check reports users that have exceeded the allowed number of failed su attempts. Use the name list to exclude or include substitute users to be checked. Specify the number of failed attempts followed by a slash and the time period in hours.

The following table lists the error messages for the check.

Table: Error messages for Excessive failed su attempts for users

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: STKU_FAILED_SU_EXCEED_LIMITS

Category: Policy Compliance

UNIX (5268)

Title: Failed SU attempts exceed limits

Description:The user has exceeded the number of allowed failed su attempts. SU failures might indicate an attempted break in. This is especially true if there have been a large number of failures on only a few accounts. Contact the system administrator if these attempts are coming from a site outside your organization. Also, verify that the reported users have secure passwords and network configurations.

Severity: red-4

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [SU attempts: %s; Failed: %s; Limit: %s; Hours: %s]

String ID: STKU_INVALID_DATA

Category: Policy Compliance

UNIX (5265)

Title: Invalid failed login parameters

Description:Parameters for the Excessive failed logins on agent and Excessive failed logins for users checks must be expressed using numbers and separated by a forward slash (/). The first number indicates the number of allowed login failures. The second number indicates the time period (in hours). For example, 5/24 indicates that five login failures are allowed within a 24 hour period.

Severity: yellow-1

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]