Erinevus lehekülje "Itx8071-task2" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
(Lehekülg asendatud tekstiga 'To be announced.')
1. rida: 1. rida:
This homework assignment requires the knowledge from Modules 6 and 7.
+
To be announced.
 
 
=== Create SEC rules that accomplish the following event correlation task: ===
 
 
 
# The ruleset must track SSH login failures and su authentication failures for local users, so that all suspicious events for each user are stored into a separate SEC context. Events that must be stored into the context are described below (see points (2) and (3)). Before the first event is added to the context, the context must be created with the lifetime of 120 seconds.
 
# If user X fails to log in over SSH from client host Y, and there will be no successful SSH login for user X from client Y during the following 20 seconds, add the following event into the context of user X: "User X failed to log in from Y over SSH".
 
# If user Y fails to switch to user X with su utility, and user Y will not manage to successfully switch to user X during the following 20 seconds, add the following event into the context of user X: "User Y failed to switch to user X with su".
 
# When the lifetime of the context for user X expires, all events stored into this context must be e-mailed to user X. After that, all event recording for user X must be disabled for the following 1 hour (3600 seconds).
 
 
 
For example, consider the following events:
 
 
 
Nov  6 17:13:03 localhost sshd[3914]: Failed password for '''root''' from 192.168.56.1 port 37326 ssh2
 
Nov  6 17:13:33 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user='''root'''
 
Nov  6 17:13:43 localhost su: pam_unix(su:session): session opened for user '''root''' by student(uid=1000)
 
Nov  6 17:14:12 localhost sshd[4065]: Failed password for '''chrony''' from 192.168.56.7 port 37386 ssh2
 
Nov  6 17:14:13 localhost sshd[4065]: Failed password for '''chrony''' from 192.168.56.7 port 37386 ssh2
 
Nov  6 17:14:48 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user='''chrony'''
 
Nov  6 17:15:01 localhost sshd[4115]: Failed password for '''chrony''' from 192.168.56.7 port 37388 ssh2
 
Nov  6 17:23:29 localhost su: pam_unix(su:auth): authentication failure; logname=student uid=1000 euid=0 tty=pts/1 ruser=student rhost=  user='''root'''
 
Nov  6 17:28:19 localhost sshd[4318]: Failed password for '''student''' from 192.168.56.1 port 37724 ssh2
 
Nov  6 17:28:23 localhost sshd[4318]: Failed password for '''student''' from 192.168.56.1 port 37724 ssh2
 
Nov  6 17:28:26 localhost sshd[4318]: Accepted password for '''student''' from 192.168.56.1 port 37724 ssh2
 
 
 
Since the SSH login failure event for user ''root'' from client ''192.168.56.1'' at 17:13:03 is not followed by successful login for ''root'' from ''192.168.56.1'' during 20 seconds, reporting context must be created at 17:13:24 for user ''root'' with the lifetime of 120 seconds. After that, event ''User root failed to log in from 192.168.56.1 over SSH'' must be stored into newly created context. Note that no event must be stored into the context of user ''root'' when user ''student'' fails to switch to user ''root'' at 17:13:33, since this failure is followed by successful switch from ''student'' to ''root'' at 17:13:43 (i.e., within 20 seconds since initial failure).
 
 
 
Because the SSH login failure event for user ''chrony'' from client ''192.168.56.7'' at 17:14:12 is not followed by successful login for ''chrony'' from ''192.168.56.7'' during 20 seconds, another reporting context must be created at 17:14:33 for user ''chrony'', and event ''User chrony failed to log in from 192.168.56.7 over SSH'' must be stored into this context (note that previously created context for ''root'' must not be used for storing this event, since the event concerns a different user). Because the user ''student'' fails to switch to ''chrony'' at 17:14:48 without successful switch during the following 20 seconds, event ''User student failed to switch to user chrony with su'' must be appended to reporting context of ''chrony'' at 17:15:09. Finally, event ''User chrony failed to log in from 192.168.56.7 over SSH'' must be appended to the context at 17:15:22, since SSH login failure at 17:15:01 was not followed by successful login.
 
 
 
When reporting context for ''root'' expires at 17:15:25, all stored events from this context must be e-mailed to root@localhost (the context contains one event ''User root failed to log in from 192.168.56.1 over SSH''). After that, reporting of following events for ''root'' user should be disabled for 1 hour, and therefore the event for su authentication failure at 17:23:29 must not be stored into any reporting context.
 
 
 
When reporting context for ''chrony'' expires at 17:16:34, all stored events from this context must be e-mailed to chrony@localhost:
 
 
 
User chrony failed to log in from 192.168.56.7 over SSH
 
User student failed to switch to user chrony with su
 
User chrony failed to log in from 192.168.56.7 over SSH
 
 
 
After that, reporting of following events for ''chrony'' user should be disabled for 1 hour.
 
 
 
Finally, no reporting context must be created for user ''student'', since SSH login failure events at 17:28:19 and 17:28:23 for client ''192.168.56.1'' and user ''student'' are followed by successful login at 17:28:26 for the same client and user.
 
 
 
Some hints for accomplishing this assignment:
 
* don't try to solve the whole assignment with just one rule, but rather write several rules which interact,
 
* consider the use of PairWithWindow rules for detecting SSH login failures and su authentication failures that need reporting, and generate synthetic events for them,
 
* consider the use of Single rules for matching synthetic events and maintaining reporting contexts.
 
 
 
Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at https://simple-evcorr.github.io/man.html).
 

Redaktsioon: 24. august 2020, kell 12:39

To be announced.

Pärit leheküljelt "http://courses.cs.taltech.ee/w/index.php?title=Itx8071-task2&oldid=9354"