Erinevus lehekülje "Ics0020-task2" redaktsioonide vahel
3. rida: | 3. rida: | ||
=== Write a SEC rule that meets the following requirements: === | === Write a SEC rule that meets the following requirements: === | ||
− | 1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command in terminal Z | + | 1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command in terminal Z. |
2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y, and terminal name Z. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours. | 2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y, and terminal name Z. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours. | ||
− | 3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y, and terminal name Z | + | 3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y, and terminal name Z. |
For example, if the following two events are observed, the user student has managed to change his ID to student2 within 3 seconds after the initial failure at 12:08:59 in terminal pts/0: | For example, if the following two events are observed, the user student has managed to change his ID to student2 within 3 seconds after the initial failure at 12:08:59 in terminal pts/0: | ||
− | Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 | + | Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; |
+ | logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 | ||
Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000) | Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000) | ||
18. rida: | 19. rida: | ||
For example, if the following events are observed, the user bob did not manage to change his ID to root within 10 seconds after the initial failure at 12:06:46: | For example, if the following events are observed, the user bob did not manage to change his ID to root within 10 seconds after the initial failure at 12:06:46: | ||
− | Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/0 ruser=bob rhost= user=root | + | Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; |
+ | logname=bob uid=1001 euid=0 tty=pts/0 ruser=bob rhost= user=root | ||
Nov 5 12:07:14 localhost su: pam_unix(su:session): session opened for user root by bob(uid=1001) | Nov 5 12:07:14 localhost su: pam_unix(su:session): session opened for user root by bob(uid=1001) | ||
Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: "User bob failed to switch to root after initial failure at terminal pts/0" After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours. | Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: "User bob failed to switch to root after initial failure at terminal pts/0" After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours. |
Redaktsioon: 5. november 2018, kell 09:15
This homework assignment requires the knowledge from Module 6 and Module 7.
Write a SEC rule that meets the following requirements:
1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command in terminal Z.
2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y, and terminal name Z. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours.
3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y, and terminal name Z.
For example, if the following two events are observed, the user student has managed to change his ID to student2 within 3 seconds after the initial failure at 12:08:59 in terminal pts/0:
Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000)
Therefore, the following event should be written to syslog: "User student switched to student2 after initial failure at terminal pts/0"
For example, if the following events are observed, the user bob did not manage to change his ID to root within 10 seconds after the initial failure at 12:06:46:
Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/0 ruser=bob rhost= user=root Nov 5 12:07:14 localhost su: pam_unix(su:session): session opened for user root by bob(uid=1001)
Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: "User bob failed to switch to root after initial failure at terminal pts/0" After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours.