Templates and Alerts

Login/Logout Template

Login/Logout

This template generates and forwards the following alert to a response program when an a successful login or logout occurs:

Table A-20

Login/Logout Alert Properties

 

 

 

 

 

 

Response

Alert

Alert

 

 

Program

Field

Alert Value/Format

Description

Field

Argument

Type

 

 

 

 

 

 

 

 

 

 

argv[1]

Template

Integer

7

Unique code

 

code

 

 

assigned to

 

 

 

 

template

 

 

 

 

 

argv[2]

Version

Integer

2

Version of the

 

 

 

 

template

 

 

 

 

 

argv[3]

Severity

Integer

2 for user root or ids and 1 if specified by an

Severity

 

 

 

ip filter property.3 for all other users, and

 

 

 

 

higher (1 or 2) if specified by an ip filter

 

 

 

 

property.

 

 

 

 

 

 

argv[4]

UTC Time

Integer

<secs>

UTC time in

 

 

 

 

number of seconds

 

 

 

 

since epoch when

 

 

 

 

a successful login,

 

 

 

 

logout, or su event

 

 

 

 

occurs.

 

 

 

 

 

argv[5]

<Empty>

n/a

n/a

This field is empty

 

 

 

 

 

argv[6]

<Empty>

n/a

n/a

This field is empty

 

 

 

 

 

argv[7]

Summary

String

"Start of a Successful Login session"

Alert summary

 

 

 

or

 

 

 

 

"End of a Login session"

 

 

 

 

 

 

argv[8]

Details

String

“User <username> logged-in on <pty>

Detailed alert

 

 

 

(REMOTE: <fully qualified host name>

description

 

 

 

<IP address>)

 

 

 

 

or

 

 

 

 

User <username> logged-out from a

 

 

 

 

session on <pty>”

 

 

 

 

 

 

argv[9]

Local

Integer

<secs>

Local time in

 

Time

 

 

number of seconds

 

 

 

 

since epoch when

 

 

 

 

a successful login

 

 

 

 

or logout occurs.

 

 

 

 

 

Appendix A

169

Page 181
Image 181
HP Host Intrusion Detection System (HIDS) manual Table A-20 Login/Logout Alert Properties