Executed Command - Did What

You can configure conditions for the "Executed Command" option for both alert and prevention type rules on Unix operating systems. Note that for a prevention rule, the "Executed Command" option can be configured based on command name and/or arguments only.

When safeguarding your system against Unix commands, your privileged users are the group that are the most risky. Privileged users such as admins who have the access and expertise into the Unix operating system, are the user group that have the know-how to use the commands to steal data, destroy systems, and get away with it. Thus it is extremely important to monitor and alert on Unix commands and privileged users who may want to perform unauthorized or malicious activities that could adversely affect system security or data.

This topic provides details of usage and scenarios to help you understand how to define alert or prevention rule conditions using the options available in the Executed Command group category in the Did what? section of the Create Alert Rule page. The Executed Command options enable you to generate an alert when a user executes a particular Unix/Linux command on sensitive data, files, directories, paths, user permissions, or system configuration settings.

When defining the values by which to evaluate the condition of an alert rule, you can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the value. When Lists are supported, you can choose to select a predefined List instead of entering a set of values. You can use Lists to define values for the Command name, Parent name, Top level command, Full path, Argument and Switch options. The operator for the condition also depends on whether you are defining values or Lists; for example, "contains" in "Values mode" would be "contains value from the list" in List mode. For more information, see Understanding the Logic for Defining Rule Conditions.

For general information about defining Did What? conditions, see Defining the "Did What?" Conditions.

The Executed Command group includes the following options for configuring conditions:

Option	Description	When should I use this option?	Example Conditions
Command name (Available for both alert and prevention rules)	The name of the Unix command that the user ran.	Use this option if you want to be alerted when the user runs a specific Unix command.	If a Unix user is trying to remove a sensitive directory, you might define the following condition: "Executed Command: Command name is rm" Other examples of command names include: su, emacs, tail, cp, sudo, chmod, ...
Parent command (Available for alert rules only)	The name of the parent process.	Use this option to be alerted if a command is run from another command using its name, or when a command is not run by a specific command.	Following is an example of the conditions you could define to be alerted if the root shell command is opened from unauthorized commands. "Executed Command: Command name is sh, bash, dash, ksh, csh, ..." AND "Executed Command: Parent command is not su, sudo, sh, bash, dash, ksh, csh, ..." AND "Executed Command: Permissions are root (other than own)"
Top level command (Available for alert rules only)	Name of the command that was run from the shell level.	Use this option to be alerted upon the execution of commands run from within an application running under the shell, such as sudo (top level). For example, alert upon the execution of external commands from within a text editor run via sudo.	Following is an example of the conditions you could define to generate an alert if sudo is used to run a script. "Executed command: Top level command is sudo" AND "Executed Command: Parent command is not sudo, sh, bash, dash, ksh, csh, tcsh" AND "Executed Command: Command Name is not empty"
Setuid mode (Available for alert rules only)	Setuid mode detects running setuid (identity change) commands.	Use this option to be alerted if an unauthorized setuid program is run, as this program runs as root and the commands it runs internally will also run as root.	To ensure that only authorized setuid programs are running on the system, you could define the following condition: "Executed Command: Command name is not mount, ping, unmount, su, passwd, ..." AND "Executed Command: Setuid mode turned on"
Full path (Available for alert rules only)	The full path of the command (including any command line arguments).	Use this option if you want to configure an alert based on the explicit path of a command. This option is useful to detect when a command is run from a specific location.	For example: "Executed Command: Full path is /tmp/rm"
Argument (Available for both alert and prevention rules)	The parameter of the Unix command.	Use this option if you want to configure an alert based on specific command line parameters provided by the user. The Argument option is useful for alerting when a user attempts to execute some action on sensitive file names, directory names, paths, and so on.	To be alerted if a user uses the su command to switch user to oracle, you might define the following condition: "Executed command: Command name is su" AND "Executed Command: Argument is oracle"
Switch (Available for alert rules only)	The switch (flag) that defines the action on the command.	The "Switch" option provides more search combinations than the "Argument" option, enabling you to find exactly what you need. For example, if you are looking in an alert rule for the argument "–r", the switch option allows you to use: "–rf" or "–fr" which extends the range of your search options.	In the case of a user trying to remove a sensitive directory, the following condition might be used: "Executed Command: Switch is –rf" Usage examples: Switch is –rf (that is, both switches are on) Switch is –r, –f, (that is, either switch is on) Switch is not –r, –f (that is, neither switch is on)
Permissions (Available for alert rules only)	The permissions under which the command is run (relative to the logged-in user name). Options include: are own other than own are root are root (other than own)	Use these options if you want to generate an alert if a user tries to switch identity or run commands under a different identity (privileged escalation). For example, running commands under 'root'.	"Executed Command: Permissions are own" (detects if user is running commands with the same permissions as the logged in user). "Executed Command: Permissions other than own" (detects if the user ran commands with user permissions other than the logged in user). "Executed Command: Permissions are root" (detects if the user ran commands as 'root' user regardless of user login credentials). "Executed Command: Permissions are root (other than own)" (detects if a non-'root' user logged in and ran commands with root user permissions).
Current Dir (pwd)	The current dir (pwd). This is the current working location or directory of the user. Current Dir is dir1, dir2	Use this option if you want to generate an alert if a user tries to execute a command from a specific working directory.	Use executes a command from a sensitive location.

On Unix/Linux operating systems, user names, file/directory names, commands, and computer names are all case-sensitive. Unix/Linux alert rules are also case-sensitive.

Example Scenarios

The following scenarios provide some examples of how you can use the Executed Command options to configure rules.

For purposes of these examples, the frequency of the alert rule is defines as "Once per session", which means that an alert will be generated only on the first occurrence of every unique match of the rule in each session.

Alert Rule	Description	Conditions
Trigger an alert when (Unix) user tries to change credentials to a privileged user.	User is trying to grant more permissions by using su or sudo commands or by running a command that grants root permissions.	"Executed Command: Permissions are root (other than own)" or "Executed Command: Command name is su, sudo"
Trigger an alert when Unix user tries to remove a sensitive directory.	Unix user is trying to remove a directory containing "observeit" in its name while running "rm" command using "-r" or "-f" flags.	"Executed Command: Command name is rm" and "Executed Command: Argument contains observeit" and "Executed Command: Switch is -r, -f"
Trigger an alert when a new user is added with root permissions.	Remote contractor with root permissions creates a new user account with userid=0.	Executed Command: Command name is useradd (that is, create a new user) and "Executed Command: Switch is -o" (that is, create duplicate user ID) and "Executed Command: Switch is -u (that is, user ID) and "Executed Command: Argument is 0" (that is, assign root permissions)

Alert Rule

Description

Conditions

Trigger an alert when (Unix) user tries to change credentials to a privileged user.

User is trying to grant more permissions by using su or sudo commands or by running a command that grants root permissions.

"Executed Command: Permissions are root (other than own)"

or "Executed Command: Command name is su, sudo"

Trigger an alert when Unix user tries to remove a sensitive directory.

Unix user is trying to remove a directory containing "observeit" in its name while running "rm" command using "-r" or "-f" flags.

"Executed Command: Command name is rm"

and "Executed Command: Argument contains observeit"

and "Executed Command: Switch is -r, -f"

Trigger an alert when a new user is added with root permissions.

Remote contractor with root permissions creates a new user account with userid=0.

Executed Command: Command name is useradd (that is, create a new user)

and "Executed Command: Switch is -o" (that is, create duplicate user ID)

and "Executed Command: Switch is -u (that is, user ID)

and "Executed Command: Argument is 0" (that is, assign root permissions)