Erinevus lehekülje "Ics0020-task2" redaktsioonide vahel
| 17. rida: | 17. rida: | ||
|   Nov  5 12:09:02 localhost su: pam_unix(su:session): session opened for user '''student2''' by '''student'''(uid=1000) |   Nov  5 12:09:02 localhost su: pam_unix(su:session): session opened for user '''student2''' by '''student'''(uid=1000) | ||
| − | Therefore, the following event should be written to syslog: '''User student successfully switched to student2 after initial failure'''. | + | Therefore, the following event should be written to syslog at 12:09:02: '''User student successfully switched to student2 after initial failure'''. | 
| − | For example, if the following events are observed, the user '''bob''' did not manage to change his ID to '''root''' within ten seconds after the initial failure at 12:06:46   | + | For example, if the following events are observed, the user '''bob''' did not manage to change his ID to '''root''' within ten seconds after the initial failure at 12:06:46.  | 
| − | + | On the other hand, the user '''bob''' has managed to change his ID to '''student''' one seconds after the initial failure at 12:06:51: | |
|   Nov  5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser='''bob''' rhost=  user='''root''' |   Nov  5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser='''bob''' rhost=  user='''root''' | ||
|   Nov  5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2 |   Nov  5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2 | ||
|   Nov  5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0) |   Nov  5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0) | ||
| − |   Nov  5 12:06:52 localhost su: pam_unix(su:session): session opened for user student by bob(uid=1001) | + |  Nov  5 12:06:51 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/2 ruser='''bob''' rhost=  user='''student''' | 
| + |   Nov  5 12:06:52 localhost su: pam_unix(su:session): session opened for user '''student''' by '''bob'''(uid=1001) | ||
|   Nov  5 12:06:59 localhost sshd[1260]: Received disconnect from 192.168.56.1 port 54442:11: disconnected by user |   Nov  5 12:06:59 localhost sshd[1260]: Received disconnect from 192.168.56.1 port 54442:11: disconnected by user | ||
|   Nov  5 12:06:59 localhost sshd[1260]: Disconnected from 192.168.56.1 port 54442 |   Nov  5 12:06:59 localhost sshd[1260]: Disconnected from 192.168.56.1 port 54442 | ||
| 32. rida: | 33. rida: | ||
| Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: '''User bob failed to switch to root during 10 seconds'''.   | Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: '''User bob failed to switch to root during 10 seconds'''.   | ||
| After the mail has been sent, no further warning e-mails about user '''bob''' must be sent during 2 hours. | After the mail has been sent, no further warning e-mails about user '''bob''' must be sent during 2 hours. | ||
| + | Also, the following event should be written to syslog at 12:06:52: '''User bob successfully switched to student after initial failure'''. | ||
| + | |||
| + | Some hints for accomplishing this assignment: | ||
| + | - consider PairWithWindow rule for addressing the assignment, | ||
| + | - the solution must be able to handle several /bin/su authentication failures in parallel (for achieving that, set the '''desc''' field of the rule accordingly) | ||
| + | |||
| + | Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at http://simple-evcorr.github.io/man.html). | ||
Redaktsioon: 5. november 2018, kell 11:13
This homework assignment requires the knowledge from Module 6 and Module 7.
Write a SEC rule that meets the following requirements:
1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command.
2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours (potential future warning e-mails for other users must *not* be suppressed).
3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y.
For example, if the following events are observed, the user student has managed to change his ID to student2 three seconds after the initial failure at 12:08:59:
Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 Nov 5 12:09:01 localhost sshd[1236]: Accepted password for root from 192.168.56.1 port 54306 ssh2 Nov 5 12:09:01 localhost sshd[1236]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000)
Therefore, the following event should be written to syslog at 12:09:02: User student successfully switched to student2 after initial failure.
For example, if the following events are observed, the user bob did not manage to change his ID to root within ten seconds after the initial failure at 12:06:46. On the other hand, the user bob has managed to change his ID to student one seconds after the initial failure at 12:06:51:
Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser=bob rhost= user=root Nov 5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2 Nov 5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0) Nov 5 12:06:51 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/2 ruser=bob rhost= user=student Nov 5 12:06:52 localhost su: pam_unix(su:session): session opened for user student by bob(uid=1001) Nov 5 12:06:59 localhost sshd[1260]: Received disconnect from 192.168.56.1 port 54442:11: disconnected by user Nov 5 12:06:59 localhost sshd[1260]: Disconnected from 192.168.56.1 port 54442 Nov 5 12:06:59 localhost sshd[1260]: pam_unix(sshd:session): session closed for user james
Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: User bob failed to switch to root during 10 seconds. After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours. Also, the following event should be written to syslog at 12:06:52: User bob successfully switched to student after initial failure.
Some hints for accomplishing this assignment: - consider PairWithWindow rule for addressing the assignment, - the solution must be able to handle several /bin/su authentication failures in parallel (for achieving that, set the desc field of the rule accordingly)
Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at http://simple-evcorr.github.io/man.html).