Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel
| 4. rida: | 4. rida: | ||
| # The ruleset must track SSH login failures and su authentication failures for targeted users, so that all suspicious events for any given user would be stored into one SEC context. Events that must be stored into the context are described below (see points (2) and (3)). Before the first event is added to the context, the context must be created with the lifetime of 120 seconds. | # The ruleset must track SSH login failures and su authentication failures for targeted users, so that all suspicious events for any given user would be stored into one SEC context. Events that must be stored into the context are described below (see points (2) and (3)). Before the first event is added to the context, the context must be created with the lifetime of 120 seconds. | ||
| − | |||
| # If user X fails to log in over SSH from client host Y, and there will be no successful SSH login for user X from client Y during the following 20 seconds, add the following event into the context for user X: "User X failed to log in from Y over SSH".   | # If user X fails to log in over SSH from client host Y, and there will be no successful SSH login for user X from client Y during the following 20 seconds, add the following event into the context for user X: "User X failed to log in from Y over SSH".   | ||
| − | |||
| # If user Y fails to switch to user X with su utility, and user Y will not manage to successfully switch to user X during the following 20 seconds, add the following event into the context for user X: "User Y failed to switch to user X with su". | # If user Y fails to switch to user X with su utility, and user Y will not manage to successfully switch to user X during the following 20 seconds, add the following event into the context for user X: "User Y failed to switch to user X with su". | ||
| − | |||
| # When the lifetime of the context for user X expires, all events stored into this context must be e-mailed to user X. After that, all event recording for user X must be disabled for the following 1 hour (3600 seconds).   | # When the lifetime of the context for user X expires, all events stored into this context must be e-mailed to user X. After that, all event recording for user X must be disabled for the following 1 hour (3600 seconds).   | ||
Redaktsioon: 6. november 2019, kell 19:13
This homework assignment requires the knowledge from Modules 6 and 7.
Create SEC rules that accomplish the following event correlation task:
- The ruleset must track SSH login failures and su authentication failures for targeted users, so that all suspicious events for any given user would be stored into one SEC context. Events that must be stored into the context are described below (see points (2) and (3)). Before the first event is added to the context, the context must be created with the lifetime of 120 seconds.
- If user X fails to log in over SSH from client host Y, and there will be no successful SSH login for user X from client Y during the following 20 seconds, add the following event into the context for user X: "User X failed to log in from Y over SSH".
- If user Y fails to switch to user X with su utility, and user Y will not manage to successfully switch to user X during the following 20 seconds, add the following event into the context for user X: "User Y failed to switch to user X with su".
- When the lifetime of the context for user X expires, all events stored into this context must be e-mailed to user X. After that, all event recording for user X must be disabled for the following 1 hour (3600 seconds).
For example, consider the following events:
Nov 6 17:13:03 localhost sshd[3914]: Failed password for root from 192.168.56.1 port 37326 ssh2 Nov 6 17:13:33 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost= user=root Nov 6 17:13:43 localhost su: pam_unix(su:session): session opened for user root by student(uid=1000) Nov 6 17:14:12 localhost sshd[4065]: Failed password for chrony from 192.168.56.7 port 37386 ssh2 Nov 6 17:14:13 localhost sshd[4065]: Failed password for chrony from 192.168.56.7 port 37386 ssh2 Nov 6 17:14:48 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost= user=chrony Nov 6 17:15:01 localhost sshd[4115]: Failed password for chrony from 192.168.56.7 port 37388 ssh2 Nov 6 17:23:29 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost= user=root Nov 6 17:28:19 localhost sshd[4318]: Failed password for student from 192.168.56.1 port 37724 ssh2 Nov 6 17:28:23 localhost sshd[4318]: Failed password for student from 192.168.56.1 port 37724 ssh2 Nov 6 17:28:26 localhost sshd[4318]: Accepted password for student from 192.168.56.1 port 37724 ssh2
Since the SSH login failure event for user root from client 192.168.56.1 at 17:13:03 is not followed by successful login for root from the same client during 20 seconds, reporting context must be created at 17:13:24 for user root with the lifetime of 120 seconds. After that, event "User root failed to log in from 192.168.56.1 over SSH" must be stored into the context of user root. Note that no event must be stored into the context of user root when user student fails to switch to user root at 17:13:33, since this failure is followed by successful switch from student to root at 17:13:43 (i.e., within 20 seconds since initial failure).
Because the SSH login failure event for user chrony from client 192.168.56.7 at 17:14:12 is not followed by successful login for chrony from the same client during 20 seconds, another reporting context must be created at 17:14:33 for user chrony, and event "User chrony failed to log in from 192.168.56.7 over SSH" must be stored into this context (note that previously created context for root must not be used for storing this event, since the event concerns a different user). Because user student fails to switch to chrony at 17:14:48 without successful switch during 20 seconds, event "User student failed to switch to user chrony with su" must be appended to reporting context for chrony at 17:15:09. Finally, event "User chrony failed to log in from 192.168.56.7 over SSH" must be appended to the context at 17:15:22, since SSH login failure at 17:15:01 was not followed by successful login.
When reporting context for root expires at 17:15:25, all stored events from this context must be e-mailed to root@localhost (the context contains one event "User root failed to log in from 192.168.56.1 over SSH"). After that, all following events for root user should be ignored during 1 hour, and therefore the event from 17:23:29 must not be stored into any reporting context.
When reporting context for chrony expires at 17:16:34, all stored events from this context must be e-mailed to chrony@localhost:
User chrony failed to log in from 192.168.56.7 over SSH User student failed to switch to user chrony with su User chrony failed to log in from 192.168.56.7 over SSH
After that, all following events for chrony user should be ignored during 1 hour.
Finally, no reporting context must be created for user student, since SSH login failure events at 17:28:19 and 17:28:23 are followed by successful login at 17:28:26 for this user.