Ics0020-task2

Allikas: Kursused
Redaktsioon seisuga 5. november 2018, kell 10:58 kasutajalt Risto (arutelu | kaastöö)
Mine navigeerimisribale Mine otsikasti

This homework assignment requires the knowledge from Module 6 and Module 7.

Write a SEC rule that meets the following requirements:

1) Detect an event where user X fails to change his ID to some other user Y with the /bin/su command.

2) If after the initial failure the user X does not manage to successfully change his ID to user Y within 10 seconds with the /bin/su command, send a warning e-mail to root@localhost which contains usernames X and Y. After the warning e-mail has been sent, any further e-mails for the user X must be suppressed for 2 hours (potential future warning e-mails for other users must *not* be suppressed).

3) If after the initial failure the user X manages to change his ID to user Y within 10 seconds with the /bin/su command, write a message to syslog which contains usernames X and Y.

For example, if the following events are observed, the user student has managed to change his ID to student2 three seconds after the initial failure at 12:08:59:

Nov  5 12:08:59 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/0 ruser=student rhost=  user=student2
Nov  5 12:09:01 localhost sshd[1236]: Accepted password for root from 192.168.56.1 port 54306 ssh2
Nov  5 12:09:01 localhost sshd[1236]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov  5 12:09:02 localhost su: pam_unix(su:session): session opened for user student2 by student(uid=1000)

Therefore, the following event should be written to syslog: User student successfully switched to student2 after initial failure.

For example, if the following events are observed, the user bob did not manage to change his ID to root within ten seconds after the initial failure at 12:06:46:

Nov  5 12:06:46 localhost su: pam_unix(su:auth): authentication failure; logname=bob uid=1001 euid=0 tty=pts/1 ruser=bob rhost=  user=root
Nov  5 12:06:50 localhost sshd[1260]: Accepted password for james from 192.168.56.1 port 54442 ssh2
Nov  5 12:06:50 localhost sshd[1260]: pam_unix(sshd:session): session opened for user james by (uid=0)
Nov  5 12:06:52 localhost su: pam_unix(su:session): session opened for user student2 by bob(uid=1001)
Nov  5 12:06:59 localhost sshd[1260]: Received disconnect from 192.168.56.1 port 54442:11: disconnected by user
Nov  5 12:06:59 localhost sshd[1260]: Disconnected from 192.168.56.1 port 54442
Nov  5 12:06:59 localhost sshd[1260]: pam_unix(sshd:session): session closed for user james

Therefore, a warning e-mail with the following text should be sent to root@localhost at 12:06:57: User bob failed to switch to root during 10 seconds. After the mail has been sent, no further warning e-mails about user bob must be sent during 2 hours.