IDMEF User Zoom¶Alert
- Additional Data
The User Class¶
The User class is used to describe users. It is primarily used as a "container" class for the UserId aggregate class.
The aggregate class contained in User is:¶
One or more. Identification of a user, as indicated by its type attribute.
The User class has two attributes:¶
Optional. A unique identifier for the user.
Optional. The type of user represented. The permitted values for this attribute are shown below. The default value is "unknown".
Rank Keyword Description 0 unknown User type unknown 1 application An application user 2 os-device An operating system or device user
The UserId Class¶
The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges.
The UserId class is composed of two aggregate classes:¶
Zero or one. STRING. A user or group name.
Zero or one. INTEGER. A user or group number.
The UserId class has three attributes:¶
Optional. A unique identifier for the user id, see Section 3.2.9.
Optional. The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user".
Rank Keyword Description 0 current-user The current user id being used by the user or process. On Unix systems, this would be the "real" user id, in general. 1 original-user The actual identity of the user or process being reported on. On those systems that (a) do some type of auditing and (b) support extracting a user id from the "audit id" token, that value should be used. On those systems that do not support this, and where the user has logged into the system, the "login id" should be used. 2 target-user The user id the user or process is attempting to become. This would apply, on Unix systems for example, when the user attempts to use "su", "rlogin", "telnet", etc. 3 user-privs Another user id the user or process has the ability to use, or a user id associated with a file permission. On Unix systems, this would be the "effective" user id in a user or process context, and the owner permissions in a file context. Multiple UserId elements of this type may be used to specify a list of privileges. 4 current-group The current group id (if applicable) being used by the user or process. On Unix systems, this would be the "real" group id, in general. 5 group-privs Another group id the group or process has the ability to use, or a group id associated with a file permission. On Unix systems, this would be the "effective" group id in a group or process context, and the group permissions in a file context. On BSD-derived Unix systems, multiple UserId elements of this type would be used to include all the group ids on the "group list". 6 other-privs Not used in a user, group, or process context, only used in the file context. The file permissions assigned to users who do not match either the user or group permissions on the file. On Unix systems, this would be the "world" permissions.
Optional. STRING. The tty the user is using.