Erinevus lehekülje "Ics0020-task2" redaktsioonide vahel
| 3. rida: | 3. rida: | ||
=== Write a SEC rule that meets the following requirements: === | === Write a SEC rule that meets the following requirements: === | ||
| − | 1) Detect an event where user X fails to change his ID to some other user Y | + | 1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command in terminal Z |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | 2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y, and terminal name Z. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours. | |
| − | |||
| − | |||
| − | + | 3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y, and terminal name Z | |
| − | |||
| − | + | For example, if the following two events are observed, the user student has managed to change his ID to student2 within 3 seconds after the initial failure at 12:08:59 in terminal pts/0: | |
| − | |||
| − | + | Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 | |
| − | + | Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000) | |
| − | |||
| − | + | Therefore, the following event should be written to syslog: "User student switched to student2 after initial failure at terminal pts/0" | |
| − | |||
| − | Therefore, a warning e-mail with the following text should be sent to | + | For example, if the following events are observed, the user bob did not manage to change his ID to root within 10 seconds after the initial failure at 12:06:46: |
| − | root@localhost at 12:06:57: | + | |
| − | "User bob failed to switch to root after initial failure at terminal pts/0" | + | Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/0 ruser=bob rhost= user=root |
| − | After the mail has been sent, no further warning e-mails about user bob | + | Nov 5 12:07:14 localhost su: pam_unix(su:session): session opened for user root by bob(uid=1001) |
| − | must be sent during 2 hours. | + | |
| + | Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: "User bob failed to switch to root after initial failure at terminal pts/0" After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours. | ||
Redaktsioon: 5. november 2018, kell 09:14
This homework assignment requires the knowledge from Module 6 and Module 7.
Write a SEC rule that meets the following requirements:
1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command in terminal Z
2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y, and terminal name Z. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours.
3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y, and terminal name Z
For example, if the following two events are observed, the user student has managed to change his ID to student2 within 3 seconds after the initial failure at 12:08:59 in terminal pts/0:
Nov 5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost= user=student2 Nov 5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000)
Therefore, the following event should be written to syslog: "User student switched to student2 after initial failure at terminal pts/0"
For example, if the following events are observed, the user bob did not manage to change his ID to root within 10 seconds after the initial failure at 12:06:46:
Nov 5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/0 ruser=bob rhost= user=root Nov 5 12:07:14 localhost su: pam_unix(su:session): session opened for user root by bob(uid=1001)
Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: "User bob failed to switch to root after initial failure at terminal pts/0" After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours.