Erinevus lehekülje "Ics0020-task2" redaktsioonide vahel
9. rida: | 9. rida: | ||
3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y, and terminal name Z. | 3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y, and terminal name Z. | ||
− | For example, if the following events are observed, the user ''student'' has managed to change his ID to ''student2'' within 3 seconds after the initial failure at 12:08:59 in terminal ''pts/0'': | + | For example, if the following events are observed, the user '''student''' has managed to change his ID to '''student2''' within 3 seconds after the initial failure at 12:08:59 in terminal '''pts/0''': |
− | Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname= | + | Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty='''pts/0''' ruser='''student''' rhost= user='''student2''' |
Nov 5 12:09:01 localhost sshd[1236]: Accepted password for root from 192.168.56.1 port 54306 ssh2 | Nov 5 12:09:01 localhost sshd[1236]: Accepted password for root from 192.168.56.1 port 54306 ssh2 | ||
Nov 5 12:09:01 localhost sshd[1236]: pam_unix(sshd:session): session opened for user root by (uid=0) | Nov 5 12:09:01 localhost sshd[1236]: pam_unix(sshd:session): session opened for user root by (uid=0) | ||
− | Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000) | + | Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user '''student2''' by '''student'''(uid=1000) |
Therefore, the following event should be written to syslog: "User student switched to student2 after initial failure at terminal pts/0" | Therefore, the following event should be written to syslog: "User student switched to student2 after initial failure at terminal pts/0" | ||
− | For example, if the following events are observed, the user ''bob'' did not manage to change his ID to ''root'' within 10 seconds after the initial failure at 12:06:46: | + | For example, if the following events are observed, the user '''bob''' did not manage to change his ID to '''root''' within 10 seconds after the initial failure at 12:06:46 in terminal '''pts/1''': |
− | Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/ | + | Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty='''pts/1''' ruser='''bob''' rhost= user='''root''' |
Nov 5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2 | Nov 5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2 | ||
Nov 5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0) | Nov 5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0) | ||
27. rida: | 27. rida: | ||
Nov 5 12:06:59 localhost sshd[1260]: pam_unix(sshd:session): session closed for user james | Nov 5 12:06:59 localhost sshd[1260]: pam_unix(sshd:session): session closed for user james | ||
− | Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: "User bob failed to switch to root after initial failure at terminal pts/ | + | Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: "User bob failed to switch to root after initial failure at terminal pts/1". After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours. |
Redaktsioon: 5. november 2018, kell 10:29
This homework assignment requires the knowledge from Module 6 and Module 7.
Write a SEC rule that meets the following requirements:
1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command in terminal Z.
2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y, and terminal name Z. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours (potential future warning e-mails for other users must not be suppressed).
3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y, and terminal name Z.
For example, if the following events are observed, the user student has managed to change his ID to student2 within 3 seconds after the initial failure at 12:08:59 in terminal pts/0:
Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 Nov 5 12:09:01 localhost sshd[1236]: Accepted password for root from 192.168.56.1 port 54306 ssh2 Nov 5 12:09:01 localhost sshd[1236]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000)
Therefore, the following event should be written to syslog: "User student switched to student2 after initial failure at terminal pts/0"
For example, if the following events are observed, the user bob did not manage to change his ID to root within 10 seconds after the initial failure at 12:06:46 in terminal pts/1:
Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser=bob rhost= user=root Nov 5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2 Nov 5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0) Nov 5 12:06:59 localhost sshd[1260]: Received disconnect from 192.168.56.1 port 54442:11: disconnected by user Nov 5 12:06:59 localhost sshd[1260]: Disconnected from 192.168.56.1 port 54442 Nov 5 12:06:59 localhost sshd[1260]: pam_unix(sshd:session): session closed for user james
Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: "User bob failed to switch to root after initial failure at terminal pts/1". After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours.