privilege escalation log parsing
When i check a privilege escalation log for a unix machine in Event reconstruction Tab under log view i can it as "su: from root to abcd at /dev/tty??
but when i check the same in the meta view the account abcd in categorized in user.src and root in user.dst
which one is correct is it "root to abcd" or "abcd to root"??
and how does the account in from (from the log view) went to destination user field?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
So if this is an RSA supported parser (which i'm assuming it is), you will have to get used to their sense of user context.
Currently, RSA has a concept of Client User and User. Where Client user is mapped to “user.src” and the actual user performing the action is always mapped to “user.dst”. They don’t have an independent concept for user and new user. So in your example, contextually it should be switched around to logically make sense.... the user originating the action (root) should be user.src, whereas the user being targeted of the action (abcd) should be user.dst....this is not the case.