Ics0020-task2

This homework assignment requires the knowledge from Module 6 and Module 7.

Write a SEC rule that meets the following requirements:

1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command.

2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours (potential future warning e-mails for other users must *not* be suppressed).

3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y. If e-mail alerting has been disabled for user X, producing a syslog message is not mandatory.

Note that the SEC rule should be written for events that appear in /var/log/secure log file. For example, if the following events are observed, the user student has managed to change his ID to student2 three seconds after the initial failure at 12:08:59:

Nov  5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost=  user=student2
Nov  5 12:09:01 localhost sshd[1236]: Accepted password for root from 192.168.56.1 port 54306 ssh2
Nov  5 12:09:01 localhost sshd[1236]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov  5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000)

Therefore, the following event should be written to syslog at 12:09:02: User student successfully switched to student2 after initial failure.

For example, if the following events are observed, the user bob did not manage to change his ID to root within ten seconds after the initial failure at 12:06:46. On the other hand, the user bob managed to change his ID to student one second after the initial failure at 12:06:51:

Nov  5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser=bob rhost=  user=root
Nov  5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2
Nov  5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0)
Nov  5 12:06:51 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/2 ruser=bob rhost=  user=student
Nov  5 12:06:52 localhost su: pam_unix(su:session): session opened for user student by bob(uid=1001)
Nov  5 12:06:59 localhost sshd[1260]: Received disconnect from 192.168.56.1 port 54442:11: disconnected by user
Nov  5 12:06:59 localhost sshd[1260]: Disconnected from 192.168.56.1 port 54442
Nov  5 12:06:59 localhost sshd[1260]: pam_unix(sshd:session): session closed for user james

Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: User bob failed to switch to root during 10 seconds. After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours. Also, the following event should be written to syslog at 12:06:52: User bob successfully switched to student after initial failure.

Some hints for accomplishing this assignment:

• consider the PairWithWindow rule for addressing the assignment,
• when using PairWithWindow rule, make sure that the 'desc' and 'pattern2' fields have been set properly (e.g., consider the use of match variables in both 'desc' and 'pattern2' field),
• consider creating a context for suppressing repeated warning e-mails for a user.

Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at http://simple-evcorr.github.io/man.html).