Erinevus lehekülje "Ics0020-task2" redaktsioonide vahel
| 10. rida: | 10. rida: | ||
| 3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y.   | 3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y.   | ||
| − | For example, if the following events are observed, the user '''student''' has managed to change his ID to '''student2'''  | + | For example, if the following events are observed, the user '''student''' has managed to change his ID to '''student2''' three seconds after the initial failure at 12:08:59: | 
|   Nov  5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser='''student''' rhost=  user='''student2''' |   Nov  5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser='''student''' rhost=  user='''student2''' | ||
| 19. rida: | 19. rida: | ||
| Therefore, the following event should be written to syslog: '''User student successfully switched to student2 after initial failure'''. | Therefore, the following event should be written to syslog: '''User student successfully switched to student2 after initial failure'''. | ||
| − | For example, if the following events are observed, the user '''bob''' did not manage to change his ID to '''root''' within  | + | For example, if the following events are observed, the user '''bob''' did not manage to change his ID to '''root''' within ten seconds after the initial failure at 12:06:46: | 
|   Nov  5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser='''bob''' rhost=  user='''root''' |   Nov  5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser='''bob''' rhost=  user='''root''' | ||
Redaktsioon: 5. november 2018, kell 10:47
This homework assignment requires the knowledge from Module 6 and Module 7.
Write a SEC rule that meets the following requirements:
1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command.
2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours (potential future warning e-mails for other users must *not* be suppressed).
3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y.
For example, if the following events are observed, the user student has managed to change his ID to student2 three seconds after the initial failure at 12:08:59:
Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 Nov 5 12:09:01 localhost sshd[1236]: Accepted password for root from 192.168.56.1 port 54306 ssh2 Nov 5 12:09:01 localhost sshd[1236]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000)
Therefore, the following event should be written to syslog: User student successfully switched to student2 after initial failure.
For example, if the following events are observed, the user bob did not manage to change his ID to root within ten seconds after the initial failure at 12:06:46:
Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser=bob rhost= user=root Nov 5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2 Nov 5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0) Nov 5 12:06:59 localhost sshd[1260]: Received disconnect from 192.168.56.1 port 54442:11: disconnected by user Nov 5 12:06:59 localhost sshd[1260]: Disconnected from 192.168.56.1 port 54442 Nov 5 12:06:59 localhost sshd[1260]: pam_unix(sshd:session): session closed for user james
Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: User bob failed to switch to root during 10 seconds. After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours.