Security, OAM User Privilege Raise To Root Failed

Ericsson Centralized User Database

1 Introduction

This document provides the description and troubleshooting steps to take for the Security, OAM User Privilege Raise To Root Failed alarm.

1.1 Alarm Description

This alarm is raised when an Operation and Maintenance (OAM) user enters an unsuccessful su or sudo command to root.

The possible alarm causes and the corresponding fault reasons, fault locations, and impacts are described in Table 1.

Table 1 Alarm Causes
Alarm Cause	Description	Fault Reason	Fault Location	Impact
A user has unsuccessfully tried to increase their access permissions to root using `su` or `sudo` command.	Authorization Fault.	An OAM user has unsuccessfully tried to increase their access permissions to root using `su` or `sudo` command.	Operating System.	OAM user is not authorized to increase their access permissions.

The alarm attributes are listed and explained in Table 2.

Table 2 Alarm Attributes
Attribute Name	Attribute Value
Auto Cease	`No`
Module	`SECURITY(11)`
Error Code	`6`
Timestamp First	Date and time when the alarm was raised for the first time.
Repeated Counter	Number which indicates how many times the alarm was raised.
Timestamp Last	Date and time of the most recent alarm raised.
Resource ID	`.1.3.6.1.4.1.193.169.11.6.`IP`.<usernameLength>.<usernameASCIICode>`
Alarm Model Description	`OAM User Privilege Raise To Root Failed, Security.`
Alarm Active Description	`Security: OAM User Privilege Raise To Root Failed @`<IP> `by user` `<username>`
ITU Alarm Event Type	`securityServiceOrMechanismViolation (10)`
ITU Alarm Probable Cause	`authenticationFailure (600)`
ITU Alarm Perceived Severity	`(6) – Warning`
Originating Source IP	Node IP where the alarm was raised.
Sequence Number	Number which indicates the order in which alarms were raised.

In Table 2, the indicated variables are as follows:

<usernameLength>: The number of characters in the user name.
<usernameASCIICode>: A series of dot-separated numbers where each number corresponds to the ASCII code of each character in the user name. For example:
79.97.109.85.115.101.114 stands for OamUser.
<IP>: The IP address of the blade or Virtual Machine (VM), where user privilege raise to root was attempted.
<username>: The name of the user in text.

For more information about attribute descriptions, refer to the Alarm Format and Description section of CUDB Node Fault Management Configuration Guide, Reference [1].

This section provides information on the documents, tools and conditions that apply to the procedure.

Before starting this procedure, ensure that you have read the following documents:

Not applicable.

Not applicable.

If the alarm is raised, perform the following steps:

Make backup copies of the log files to preserve evidence of the (attempted) intrusion.
Examine the security log file to determine the source of the intrusion. For more information about logging information in CUDB, refer to CUDB Node Logging Events, Reference [2].
If the log file analysis indicates that an unauthorized operation was successful, seek further advice in order to secure the system again. For more information about security configuration in CUDB, refer to CUDB Security and Privacy Management, Reference [3].
Once system security has been reestablished, manually clear the alarm according to the procedure described in CUDB Node Fault Management Configuration Guide, Reference [1] .

Further actions are outside the scope of this Operating Instruction.

For the terms, definitions, acronyms and abbreviations used in this document, refer to CUDB Glossary of Terms And Acronyms, Reference [4].

CUDB Documents
[1] CUDB Node Fault Management Configuration Guide.
[2] CUDB Node Logging Events.
[3] CUDB Security and Privacy Management.
[4] CUDB Glossary of Terms and Acronyms.

Other Ericsson Documents
[5] System Safety Information.
[6] Personal Health and Safety Information.