Erinevus lehekülje "Ics0020-task2" redaktsioonide vahel
(Uus lehekülg: 'To be announced.') |
|||
| 1. rida: | 1. rida: | ||
| − | + | This homework assignment requires the knowledge from Module 6 and Module 7. | |
| + | |||
| + | === Write a SEC rule that meets the following requirements: === | ||
| + | |||
| + | 1) Detect an event where user X fails to change his ID to some other user Y | ||
| + | with the /bin/su command in terminal Z | ||
| + | 2) If after the initial failure the user X does not manage to successfully | ||
| + | change his ID to user Y within 10 seconds with the /bin/su | ||
| + | command, send a warning e-mail to root@localhost which contains usernames | ||
| + | X and Y, and terminal name Z. After the warning e-mail has been sent, | ||
| + | any further e-mails for the user X must be suppressed for 2 hours. | ||
| + | 3) If after the initial failure the user X manages to change his ID to user Y | ||
| + | within 10 seconds with the /bin/su command, write a message to syslog which | ||
| + | contains usernames X and Y, and terminal name Z | ||
| + | |||
| + | For example, if the following two events are observed, the user student | ||
| + | has managed to change his ID to student2 within 3 seconds | ||
| + | after the initial failure at 12:08:59 in terminal pts/0: | ||
| + | |||
| + | Jan 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 | ||
| + | Jan 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000) | ||
| + | |||
| + | Therefore, the following event should be written to syslog: | ||
| + | "User student switched to student2 after initial failure at terminal pts/0" | ||
| + | |||
| + | For example, if the following events are observed, the user bob did not | ||
| + | manage to change his ID to root within 10 seconds after the | ||
| + | initial failure at 12:06:46: | ||
| + | |||
| + | Jan 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/0 ruser=bob rhost= user=root | ||
| + | Jan 5 12:07:14 localhost su: pam_unix(su:session): session opened for user root by bob(uid=1001) | ||
| + | |||
| + | Therefore, a warning e-mail with the following text should be sent to | ||
| + | root@localhost at 12:06:57: | ||
| + | "User bob failed to switch to root after initial failure at terminal pts/0" | ||
| + | After the mail has been sent, no further warning e-mails about user bob | ||
| + | must be sent during 2 hours. | ||
Redaktsioon: 5. november 2018, kell 09:12
This homework assignment requires the knowledge from Module 6 and Module 7.
Write a SEC rule that meets the following requirements:
1) Detect an event where user X fails to change his ID to some other user Y
with the /bin/su command in terminal Z
2) If after the initial failure the user X does not manage to successfully
change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y, and terminal name Z. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours.
3) If after the initial failure the user X manages to change his ID to user Y
within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y, and terminal name Z
For example, if the following two events are observed, the user student has managed to change his ID to student2 within 3 seconds after the initial failure at 12:08:59 in terminal pts/0:
Jan 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 Jan 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000)
Therefore, the following event should be written to syslog: "User student switched to student2 after initial failure at terminal pts/0"
For example, if the following events are observed, the user bob did not manage to change his ID to root within 10 seconds after the initial failure at 12:06:46:
Jan 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/0 ruser=bob rhost= user=root Jan 5 12:07:14 localhost su: pam_unix(su:session): session opened for user root by bob(uid=1001)
Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: "User bob failed to switch to root after initial failure at terminal pts/0" After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours.