OS User Chaining
- Last UpdatedMar 14, 2025
- 2 minute read
Note: This section is relevant only for database SecureSphere Agent. |
The SecureSphere Agent tracks the chain of OS users, so that if a local user logs in with one OS user name and then performs a series of "identity changes" through the use of the su
command, the SecureSphere Agent will include the chain of user names and the remote login IP address in the audit record. Also, the remote login IP address will be reported as the source IP address instead of the fictitious IP address defined in the Fictitious Network Parameters section of the Settings tab (see General Settings - Fictitious Network Parameters Section).
The OS user chain is available as a match criterion for use in security, data enrichment and audit policies.
In audit policies, the Source of Activity match criterion can be used to specify the source IP address.
In a policy’s Match Criteria tab, you can specify the OS user chain as a match criterion. If the selected OS user’s name is present anywhere in the chain, the match is successful.
In an audit policy’s Settings tab, you can specify the OS user chain as an index field. For more information, see Configuring General Audit Policy Settings.
EXAMPLE:
For example, suppose a non-Windows user enters the following commands (passwords have been omitted for clarity):
In Windows, the same effect could be achieved using Remote Desktop.
Non-Windows SecureSphere Agent report the entire chain, for example, "root > bob > alice > charlie
". Windows SecureSphere Agent report only the first and last user names in the chain.