Modifying system to record failed logins and changing UMASK to 027
Posted on 2006-04-28
I'm trying to "correct" errors that our security auditor found. Since my UNIX skills are weak, I am resistant to make his changes automatically. Here is one of his findings:
During our check to identify whether failed logins are logged and determine whether the log files are world-writeable, we noted that ECSU is not logging failed logins to log files. This is so because of the following reasons:
• Failed login is not defined in the “syslog.conf” log file.
• Failed login is not defined in the “failed logins” log file.
• Monitoring at the console is not occurring over the weekends. Also
Also the UMASK is set to a number (UMASK=022).
All failed login attempts on the UNIX system should be defined and recorded in the “syslog.conf” and the “failed logins” log files.
Recommendation: Management should make it a priority to log all failed logins on the UNIX system to the “syslog.conf” and the “failed logins” log files. Monitoring at the console should be occurring over the weekends so that multiple failed login attempts could be detected if hackers performed hacking attempts over the weekends. Although this is appropriate, it is suggested that this should be set to (UMASK=027), which is much stronger than (UMASK=022).
My question is how do I do what he wants me do accomplish on my server?
How do I modify the syslog.conf file? Any ideas what are the "failed logins" log files? and where do I change the UMASK?
ps: I will be posting other questions relating to this audit, this weekend. What a wonderful way to spend a weekend.
Also, my server is SunOS sunsvr01 5.9 Generic_118558-16 sun4u sparc SUNW,Sun-Fire-280R