Modifying system to record failed logins and changing UMASK to 027

I'm trying to "correct" errors that our security auditor found.  Since my UNIX skills are weak, I am resistant to make his changes automatically.  Here is one of his findings:
+++++++++++++++++++++++++++++++++++++++++++++++++++
During our check to identify whether failed logins are logged and determine whether the log files are world-writeable, we noted that ECSU is not logging failed logins to log files.  This is so because of the following reasons:
•      Failed login is not defined in the “syslog.conf” log file.
•      Failed login is not defined in the “failed logins” log file.
•      Monitoring at the console is not occurring over the weekends.  Also
Also the UMASK is set to a number (UMASK=022).  

All failed login attempts on the UNIX system should be defined and recorded in the “syslog.conf” and the “failed logins” log files.
Recommendation:  Management should make it a priority to log all failed logins on the UNIX system to the “syslog.conf” and the “failed logins” log files.  Monitoring at the console should be occurring over the weekends so that multiple failed login attempts could be detected if hackers performed hacking attempts over the weekends.  Although this is appropriate, it is suggested that this should be set to (UMASK=027), which is much stronger than (UMASK=022).
+++++++++++++++++++++++++++++++++++++++++++++++++++
My question is how do I do what he wants me do accomplish on my server?  
How do I modify the syslog.conf file?  Any ideas what are the "failed logins" log files? and where do I change the UMASK?
Thanks,
Jack
ps:  I will be posting other questions relating to this audit, this weekend.  What a wonderful way to spend a weekend.
Also,  my server is SunOS sunsvr01 5.9 Generic_118558-16 sun4u sparc SUNW,Sun-Fire-280R

Jack SeamanAsked:
Who is Participating?
 
gheistConnect With a Mentor Commented:
in syslog.conf:

security.debug;auth.info;authpriv.info                         /var/adm/failedlogin.log

0
 
Jack SeamanAuthor Commented:
I added the line in syslog.conf and tested by trying to log on with an incorrect password.  the failedlogin.log was not created.  So, I created the failedlogin.log and tried again.  Still no entry in the log file.  What am I doing incorrectly?
0
 
biraCommented:
Default File Permissions (umask)
Whenever you create a new file, its protection mode is set to some default value,
 called your "umask". Normally, that value is "755", which means that directories will
 get created with mode 755, and files will get created with mode 644 (no execute).
 If you wish to change this default value, use the command umask. To change it,
  type umask three-octal-digits, where three-octal-digits is the complement of the mode
   you want. For example, to set your default mode to 755, type umask 022. To see your
   default protection value, simply type umask.
umask is really a shell command, not a UNIX command.
 Type man tcsh to learn more about it.
If you change your umask value, this new value lasts only until you log out.
To make it permanent, put a umask command in
 your `~/.cshrc' file.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
gheistCommented:
After modifying syslog.conf do kill -HUP `cat /var/run/syslog.pid`
So it rereads configuration.

Creating file was right idea. Make sure this file cannot be read by everyone on system.
0
 
Jack SeamanAuthor Commented:
I was unable to get back to this issue over the weekend...

If I use the command kill -HUP `cat /var/run/syslog.pid`
what causes it to reread the configuartion file "syslog.conf"? Or is there something else I have to do?

As for UNMASK=27 issue, I will need some more specific instructions on how to change the UNMASK=22 to UNMASK=27.  I want to change it for everyone.

TIA
Jack
0
 
gheistCommented:
umask is  changed in /etc/profile and /etc/.login
0
 
gheistCommented:
Hell no - not UNMASK but UMASK.
or in /etc/defaults/login if before profiles.
0
 
Jack SeamanAuthor Commented:
I have made the change for UMASK.  Easy enough to do.  Still a little unclear about syslog.conf

If I use the command kill -HUP `cat /var/run/syslog.pid`
what causes it to reread the configuartion file "syslog.conf"? Or is there something else I have to do?

Thanks
Jack
0
 
gheistCommented:
The SIGHUP signal, as processed by syslog daemon...
0
 
Jack SeamanAuthor Commented:
By that, you mean, there is nothing else I need to do other than
kill -HUP `cat /var/run/syslog.pid`
0
 
Jack SeamanAuthor Commented:
Will this syslog daemon restart after the kill command?
0
 
gheistCommented:
YES.
refer to syslogd and kill manual pages of your UNIX, or OpenBSD system
0
 
Jack SeamanAuthor Commented:
There must be something I am doing wrong.  It still will not log.  In /var/adm/messages, I get:
May  5 14:12:53 sunsvr01 syslogd: line 14: unknown priority name "info          /var/adm/failedlogin.log"

How do I set the priority?  I've looked at syslogd manual and don't understand.
0
 
Jack SeamanAuthor Commented:
I've looked in the syslog.conf manual, do I need to change

security.debug;auth.info;authpriv.info          /var/adm/failedlogin.log

to

*.err;security.debug;auth.info;authpriv.info          /var/adm/failedlogin.log

to set the priority?
0
 
gheistCommented:
Yours first overrides my latest two.
You have to check for yourself.
0
 
Jack SeamanAuthor Commented:
Now I am confused.  I don't understand your latest comment.  Please explain further.
Thanks,
Jack
0
 
gheistCommented:
*.err includes both *.info entries
0
 
root_startCommented:
Hi wjseaman,

As you stated, you configure the failed logins in the syslog daemon.
You can use the following links to set up syslog correctly:
1. http://publib.boulder.ibm.com/infocenter/wbihelp/v6rxmx/index.jsp?topic=/com.ibm.etools.mft.eb.doc/an04230_.htm
2. http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm

In my opinion, the second one is better than the first and it has a very good explanation.

You can use the following to restart the syslog daemon:
1. As they stated above: kill -HUP `cat /var/run/syslog.pid`
2. You can go to: /etc/init.d and:
    /etc/init.d# ./syslog
    Usage: ./syslog { start | stop }

I am not sure if you know what is the /etc/profile: this file is loaded every time a user logs to the unix system and all environment variables and commands that are default to all users can be in this file, so you will not need to set them in each profile.
Now about the umask, you can set a default one in the "/etc/profile".
Also, you must check in the users profile(.profile in users' home directory) if there is no umask that overrides the one in the /etc/profile, and you can do this with the following commads:
=====================================================================
# cat /etc/passwd | awk -F":" '{print $6}'|xargs -i grep –l umask {}/.profile
# grep –l umask /etc/skel/.profile
# grep –l umask /etc/skel/.cshrc
# grep –l umask /etc/skel/.login
=====================================================================

A good umaks could be: umask 027 - permission: 750

I hope it helps.
0
 
root_startCommented:
Ops, I forgot one thing, you can use the following configuration in your "syslog.conf":

###
## Authentication related Messages
#
auth.alert      /var/adm/auth.log
auth.info       /var/adm/auth.log
auth.debug      /var/adm/auth.log

Again, I hope it helps. =0)
0
 
gheistCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:

accept gheist http:#16563356 

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

gheist
EE Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.