Unauthorized Shell Opening
Unauthorized Shell Opening (Unix/Linux)
The following out-of-the-box alert rules are assigned to the (Unix/Linux) Category: UNAUTHORIZED SHELL OPENING.
|
ALERT RULE |
Description |
|---|---|
| Opening a shell by unauthorized application user |
An alert is triggered upon detecting a login of an unauthorized application user such as apache web server (that is authorized to run a web server but not to open a shell). |
| Opening an interactive shell by Apache |
An alert is triggered upon detecting an interactive shell that is opened by Apache web server. This rule is an example of a Prevent Rule on login (by catching any executed command). This rule will not trigger any alert until it is activated. |
| Opening root shell using SUDO command |
An alert is triggered upon executing the SUDO command which allows executing programs with security privileges of regular users or super users. |