Erinevus lehekülje "Ics0020-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
36. rida: 36. rida:
  
 
Some hints for accomplishing this assignment:
 
Some hints for accomplishing this assignment:
 +
 
* consider PairWithWindow rule for addressing the assignment,
 
* consider PairWithWindow rule for addressing the assignment,
 
* the solution must be able to handle several /bin/su authentication failures in parallel (for achieving that, set the '''desc''' field of the rule accordingly)
 
* the solution must be able to handle several /bin/su authentication failures in parallel (for achieving that, set the '''desc''' field of the rule accordingly)
  
 
Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at http://simple-evcorr.github.io/man.html).
 
Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at http://simple-evcorr.github.io/man.html).

Redaktsioon: 5. november 2018, kell 11:15

This homework assignment requires the knowledge from Module 6 and Module 7.

Write a SEC rule that meets the following requirements:

1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command.

2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours (potential future warning e-mails for other users must *not* be suppressed).

3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y.

For example, if the following events are observed, the user student has managed to change his ID to student2 three seconds after the initial failure at 12:08:59:

Nov  5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost=  user=student2
Nov  5 12:09:01 localhost sshd[1236]: Accepted password for root from 192.168.56.1 port 54306 ssh2
Nov  5 12:09:01 localhost sshd[1236]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov  5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000)

Therefore, the following event should be written to syslog at 12:09:02: User student successfully switched to student2 after initial failure.

For example, if the following events are observed, the user bob did not manage to change his ID to root within ten seconds after the initial failure at 12:06:46. On the other hand, the user bob managed to change his ID to student one second after the initial failure at 12:06:51:

Nov  5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser=bob rhost=  user=root
Nov  5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2
Nov  5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0)
Nov  5 12:06:51 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/2 ruser=bob rhost=  user=student
Nov  5 12:06:52 localhost su: pam_unix(su:session): session opened for user student by bob(uid=1001)
Nov  5 12:06:59 localhost sshd[1260]: Received disconnect from 192.168.56.1 port 54442:11: disconnected by user
Nov  5 12:06:59 localhost sshd[1260]: Disconnected from 192.168.56.1 port 54442
Nov  5 12:06:59 localhost sshd[1260]: pam_unix(sshd:session): session closed for user james

Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: User bob failed to switch to root during 10 seconds. After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours. Also, the following event should be written to syslog at 12:06:52: User bob successfully switched to student after initial failure.

Some hints for accomplishing this assignment:

  • consider PairWithWindow rule for addressing the assignment,
  • the solution must be able to handle several /bin/su authentication failures in parallel (for achieving that, set the desc field of the rule accordingly)

Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at http://simple-evcorr.github.io/man.html).