HIPS/3/UNAUTHORIZEDROOTUSER

Message

HIPS/3/UNAUTHORIZEDROOTUSER: An unauthorized root user has been detected. (eventCategory=[event-category], occurTime=[occurTime], result=[result], unauthorizedUser=[unauthorizedUser], gid=[gid], home=[home], shell=[shell], uid=[uid], slot=[slot], card=[card], cpu=[cpu], barcode=[barcode])

In VS mode, this log is supported only by the admin VS.

Description

The UID of a non-root user is 0. UID 0 is reserved for the root user, and non-root users whose UID is 0 are considered as insecure behavior in the industry. If this situation exists in the system, it is likely to be suspected as malicious behavior.

Parameters

Parameter Name Parameter Meaning

event-category

Event classification:

1016: NE intrusion alarm

occurTime

Time when the event occurs.

result

Result.

unauthorizedUser

Unauthorized user.

gid

User group ID.

home

Home path of an unauthorized user.

shell

Shell path of an unauthorized user.

uid

User ID.

slot

Slot ID.

card

Subcard ID.

cpu

CPU ID.

barcode

Barcode that uniquely identifies a board.

Possible Causes

A non-root user whose UID is 0 exists in the system.

Procedure

Isolate the device from the network immediately and submit the log information to Huawei engineers for analysis.

Parent Topic: HIPS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >