Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
13. rida: 13. rida:
 
  Nov  6 17:13:33 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user='''root'''
 
  Nov  6 17:13:33 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user='''root'''
 
  Nov  6 17:13:43 localhost su: pam_unix(su:session): session opened for user '''root''' by student(uid=1000)
 
  Nov  6 17:13:43 localhost su: pam_unix(su:session): session opened for user '''root''' by student(uid=1000)
  Nov  6 17:14:12 localhost sshd[4065]: Failed password for chrony from 192.168.56.7 port 37386 ssh2
+
  Nov  6 17:14:12 localhost sshd[4065]: Failed password for '''chrony''' from 192.168.56.7 port 37386 ssh2
  Nov  6 17:14:13 localhost sshd[4065]: Failed password for chrony from 192.168.56.7 port 37386 ssh2
+
  Nov  6 17:14:13 localhost sshd[4065]: Failed password for '''chrony''' from 192.168.56.7 port 37386 ssh2
  Nov  6 17:14:48 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user=chrony
+
  Nov  6 17:14:48 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user='''chrony'''
  Nov  6 17:15:01 localhost sshd[4115]: Failed password for chrony from 192.168.56.7 port 37388 ssh2
+
  Nov  6 17:15:01 localhost sshd[4115]: Failed password for '''chrony''' from 192.168.56.7 port 37388 ssh2
  Nov  6 17:23:29 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user=root
+
  Nov  6 17:23:29 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user='''root'''
  Nov  6 17:28:19 localhost sshd[4318]: Failed password for student from 192.168.56.1 port 37724 ssh2
+
  Nov  6 17:28:19 localhost sshd[4318]: Failed password for '''student''' from 192.168.56.1 port 37724 ssh2
  Nov  6 17:28:23 localhost sshd[4318]: Failed password for student from 192.168.56.1 port 37724 ssh2
+
  Nov  6 17:28:23 localhost sshd[4318]: Failed password for '''student''' from 192.168.56.1 port 37724 ssh2
  Nov  6 17:28:26 localhost sshd[4318]: Accepted password for student from 192.168.56.1 port 37724 ssh2
+
  Nov  6 17:28:26 localhost sshd[4318]: Accepted password for '''student''' from 192.168.56.1 port 37724 ssh2
  
 
Since the SSH login failure event for user ''root'' from client ''192.168.56.1'' at 17:13:03 is not followed by successful login for ''root'' from ''192.168.56.1'' during 20 seconds, reporting context must be created at 17:13:24 for user ''root'' with the lifetime of 120 seconds. After that, event ''User root failed to log in from 192.168.56.1 over SSH'' must be stored into newly created context. Note that no event must be stored into the context of user ''root'' when user ''student'' fails to switch to user ''root'' at 17:13:33, since this failure is followed by successful switch from ''student'' to ''root'' at 17:13:43 (i.e., within 20 seconds since initial failure).
 
Since the SSH login failure event for user ''root'' from client ''192.168.56.1'' at 17:13:03 is not followed by successful login for ''root'' from ''192.168.56.1'' during 20 seconds, reporting context must be created at 17:13:24 for user ''root'' with the lifetime of 120 seconds. After that, event ''User root failed to log in from 192.168.56.1 over SSH'' must be stored into newly created context. Note that no event must be stored into the context of user ''root'' when user ''student'' fails to switch to user ''root'' at 17:13:33, since this failure is followed by successful switch from ''student'' to ''root'' at 17:13:43 (i.e., within 20 seconds since initial failure).

Redaktsioon: 7. november 2019, kell 09:34

This homework assignment requires the knowledge from Modules 6 and 7.

Create SEC rules that accomplish the following event correlation task:

  1. The ruleset must track SSH login failures and su authentication failures for local users, so that all suspicious events for each user are stored into a separate SEC context. Events that must be stored into the context are described below (see points (2) and (3)). Before the first event is added to the context, the context must be created with the lifetime of 120 seconds.
  2. If user X fails to log in over SSH from client host Y, and there will be no successful SSH login for user X from client Y during the following 20 seconds, add the following event into the context of user X: "User X failed to log in from Y over SSH".
  3. If user Y fails to switch to user X with su utility, and user Y will not manage to successfully switch to user X during the following 20 seconds, add the following event into the context of user X: "User Y failed to switch to user X with su".
  4. When the lifetime of the context for user X expires, all events stored into this context must be e-mailed to user X. After that, all event recording for user X must be disabled for the following 1 hour (3600 seconds).

For example, consider the following events:

Nov  6 17:13:03 localhost sshd[3914]: Failed password for root from 192.168.56.1 port 37326 ssh2
Nov  6 17:13:33 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user=root
Nov  6 17:13:43 localhost su: pam_unix(su:session): session opened for user root by student(uid=1000)
Nov  6 17:14:12 localhost sshd[4065]: Failed password for chrony from 192.168.56.7 port 37386 ssh2
Nov  6 17:14:13 localhost sshd[4065]: Failed password for chrony from 192.168.56.7 port 37386 ssh2
Nov  6 17:14:48 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user=chrony
Nov  6 17:15:01 localhost sshd[4115]: Failed password for chrony from 192.168.56.7 port 37388 ssh2
Nov  6 17:23:29 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user=root
Nov  6 17:28:19 localhost sshd[4318]: Failed password for student from 192.168.56.1 port 37724 ssh2
Nov  6 17:28:23 localhost sshd[4318]: Failed password for student from 192.168.56.1 port 37724 ssh2
Nov  6 17:28:26 localhost sshd[4318]: Accepted password for student from 192.168.56.1 port 37724 ssh2

Since the SSH login failure event for user root from client 192.168.56.1 at 17:13:03 is not followed by successful login for root from 192.168.56.1 during 20 seconds, reporting context must be created at 17:13:24 for user root with the lifetime of 120 seconds. After that, event User root failed to log in from 192.168.56.1 over SSH must be stored into newly created context. Note that no event must be stored into the context of user root when user student fails to switch to user root at 17:13:33, since this failure is followed by successful switch from student to root at 17:13:43 (i.e., within 20 seconds since initial failure).

Because the SSH login failure event for user chrony from client 192.168.56.7 at 17:14:12 is not followed by successful login for chrony from 192.168.56.7 during 20 seconds, another reporting context must be created at 17:14:33 for user chrony, and event User chrony failed to log in from 192.168.56.7 over SSH must be stored into this context (note that previously created context for root must not be used for storing this event, since the event concerns a different user). Because the user student fails to switch to chrony at 17:14:48 without successful switch during the following 20 seconds, event User student failed to switch to user chrony with su must be appended to reporting context of chrony at 17:15:09. Finally, event User chrony failed to log in from 192.168.56.7 over SSH must be appended to the context at 17:15:22, since SSH login failure at 17:15:01 was not followed by successful login.

When reporting context for root expires at 17:15:25, all stored events from this context must be e-mailed to root@localhost (the context contains one event User root failed to log in from 192.168.56.1 over SSH). After that, reporting of following events for root user should be disabled for 1 hour, and therefore the event from 17:23:29 must not be stored into any reporting context.

When reporting context for chrony expires at 17:16:34, all stored events from this context must be e-mailed to chrony@localhost:

User chrony failed to log in from 192.168.56.7 over SSH
User student failed to switch to user chrony with su
User chrony failed to log in from 192.168.56.7 over SSH

After that, reporting of following events for chrony user should be disabled for 1 hour.

Finally, no reporting context must be created for user student, since SSH login failure events at 17:28:19 and 17:28:23 for client 192.168.56.1 and user student are followed by successful login at 17:28:26 for the same client and user.