Modifying system to record failed logins and changing UMASK to 027
I'm trying to "correct" errors that our security auditor found. Since my UNIX skills are weak, I am resistant to make his changes automatically. Here is one of his findings:
++++++++++++++++++++++++++
During our check to identify whether failed logins are logged and determine whether the log files are world-writeable, we noted that ECSU is not logging failed logins to log files. This is so because of the following reasons:
• Failed login is not defined in the “syslog.conf” log file.
• Failed login is not defined in the “failed logins” log file.
• Monitoring at the console is not occurring over the weekends. Also
Also the UMASK is set to a number (UMASK=022).
All failed login attempts on the UNIX system should be defined and recorded in the “syslog.conf” and the “failed logins” log files.
Recommendation: Management should make it a priority to log all failed logins on the UNIX system to the “syslog.conf” and the “failed logins” log files. Monitoring at the console should be occurring over the weekends so that multiple failed login attempts could be detected if hackers performed hacking attempts over the weekends. Although this is appropriate, it is suggested that this should be set to (UMASK=027), which is much stronger than (UMASK=022).
++++++++++++++++++++++++++
My question is how do I do what he wants me do accomplish on my server?
How do I modify the syslog.conf file? Any ideas what are the "failed logins" log files? and where do I change the UMASK?
Thanks,
Jack
ps: I will be posting other questions relating to this audit, this weekend. What a wonderful way to spend a weekend.
Also, my server is SunOS sunsvr01 5.9 Generic_118558-16 sun4u sparc SUNW,Sun-Fire-280R
++++++++++++++++++++++++++
During our check to identify whether failed logins are logged and determine whether the log files are world-writeable, we noted that ECSU is not logging failed logins to log files. This is so because of the following reasons:
• Failed login is not defined in the “syslog.conf” log file.
• Failed login is not defined in the “failed logins” log file.
• Monitoring at the console is not occurring over the weekends. Also
Also the UMASK is set to a number (UMASK=022).
All failed login attempts on the UNIX system should be defined and recorded in the “syslog.conf” and the “failed logins” log files.
Recommendation: Management should make it a priority to log all failed logins on the UNIX system to the “syslog.conf” and the “failed logins” log files. Monitoring at the console should be occurring over the weekends so that multiple failed login attempts could be detected if hackers performed hacking attempts over the weekends. Although this is appropriate, it is suggested that this should be set to (UMASK=027), which is much stronger than (UMASK=022).
++++++++++++++++++++++++++
My question is how do I do what he wants me do accomplish on my server?
How do I modify the syslog.conf file? Any ideas what are the "failed logins" log files? and where do I change the UMASK?
Thanks,
Jack
ps: I will be posting other questions relating to this audit, this weekend. What a wonderful way to spend a weekend.
Also, my server is SunOS sunsvr01 5.9 Generic_118558-16 sun4u sparc SUNW,Sun-Fire-280R
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Default File Permissions (umask)
Whenever you create a new file, its protection mode is set to some default value,
called your "umask". Normally, that value is "755", which means that directories will
get created with mode 755, and files will get created with mode 644 (no execute).
If you wish to change this default value, use the command umask. To change it,
type umask three-octal-digits, where three-octal-digits is the complement of the mode
you want. For example, to set your default mode to 755, type umask 022. To see your
default protection value, simply type umask.
umask is really a shell command, not a UNIX command.
Type man tcsh to learn more about it.
If you change your umask value, this new value lasts only until you log out.
To make it permanent, put a umask command in
your `~/.cshrc' file.
Whenever you create a new file, its protection mode is set to some default value,
called your "umask". Normally, that value is "755", which means that directories will
get created with mode 755, and files will get created with mode 644 (no execute).
If you wish to change this default value, use the command umask. To change it,
type umask three-octal-digits, where three-octal-digits is the complement of the mode
you want. For example, to set your default mode to 755, type umask 022. To see your
default protection value, simply type umask.
umask is really a shell command, not a UNIX command.
Type man tcsh to learn more about it.
If you change your umask value, this new value lasts only until you log out.
To make it permanent, put a umask command in
your `~/.cshrc' file.
After modifying syslog.conf do kill -HUP `cat /var/run/syslog.pid`
So it rereads configuration.
Creating file was right idea. Make sure this file cannot be read by everyone on system.
So it rereads configuration.
Creating file was right idea. Make sure this file cannot be read by everyone on system.
ASKER
I was unable to get back to this issue over the weekend...
If I use the command kill -HUP `cat /var/run/syslog.pid`
what causes it to reread the configuartion file "syslog.conf"? Or is there something else I have to do?
As for UNMASK=27 issue, I will need some more specific instructions on how to change the UNMASK=22 to UNMASK=27. I want to change it for everyone.
TIA
Jack
If I use the command kill -HUP `cat /var/run/syslog.pid`
what causes it to reread the configuartion file "syslog.conf"? Or is there something else I have to do?
As for UNMASK=27 issue, I will need some more specific instructions on how to change the UNMASK=22 to UNMASK=27. I want to change it for everyone.
TIA
Jack
umask is changed in /etc/profile and /etc/.login
Hell no - not UNMASK but UMASK.
or in /etc/defaults/login if before profiles.
or in /etc/defaults/login if before profiles.
ASKER
I have made the change for UMASK. Easy enough to do. Still a little unclear about syslog.conf
If I use the command kill -HUP `cat /var/run/syslog.pid`
what causes it to reread the configuartion file "syslog.conf"? Or is there something else I have to do?
Thanks
Jack
If I use the command kill -HUP `cat /var/run/syslog.pid`
what causes it to reread the configuartion file "syslog.conf"? Or is there something else I have to do?
Thanks
Jack
The SIGHUP signal, as processed by syslog daemon...
ASKER
By that, you mean, there is nothing else I need to do other than
kill -HUP `cat /var/run/syslog.pid`
kill -HUP `cat /var/run/syslog.pid`
ASKER
Will this syslog daemon restart after the kill command?
YES.
refer to syslogd and kill manual pages of your UNIX, or OpenBSD system
refer to syslogd and kill manual pages of your UNIX, or OpenBSD system
ASKER
There must be something I am doing wrong. It still will not log. In /var/adm/messages, I get:
May 5 14:12:53 sunsvr01 syslogd: line 14: unknown priority name "info /var/adm/failedlogin.log"
How do I set the priority? I've looked at syslogd manual and don't understand.
May 5 14:12:53 sunsvr01 syslogd: line 14: unknown priority name "info /var/adm/failedlogin.log"
How do I set the priority? I've looked at syslogd manual and don't understand.
ASKER
I've looked in the syslog.conf manual, do I need to change
security.debug;auth.info;a
to
*.err;security.debug;auth.
to set the priority?
security.debug;auth.info;a
to
*.err;security.debug;auth.
to set the priority?
Yours first overrides my latest two.
You have to check for yourself.
You have to check for yourself.
ASKER
Now I am confused. I don't understand your latest comment. Please explain further.
Thanks,
Jack
Thanks,
Jack
*.err includes both *.info entries
Hi wjseaman,
As you stated, you configure the failed logins in the syslog daemon.
You can use the following links to set up syslog correctly:
1. http://publib.boulder.ibm.com/infocenter/wbihelp/v6rxmx/index.jsp?topic=/com.ibm.etools.mft.eb.doc/an04230_.htm
2. http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm
In my opinion, the second one is better than the first and it has a very good explanation.
You can use the following to restart the syslog daemon:
1. As they stated above: kill -HUP `cat /var/run/syslog.pid`
2. You can go to: /etc/init.d and:
/etc/init.d# ./syslog
Usage: ./syslog { start | stop }
I am not sure if you know what is the /etc/profile: this file is loaded every time a user logs to the unix system and all environment variables and commands that are default to all users can be in this file, so you will not need to set them in each profile.
Now about the umask, you can set a default one in the "/etc/profile".
Also, you must check in the users profile(.profile in users' home directory) if there is no umask that overrides the one in the /etc/profile, and you can do this with the following commads:
==========================
# cat /etc/passwd | awk -F":" '{print $6}'|xargs -i grep –l umask {}/.profile
# grep –l umask /etc/skel/.profile
# grep –l umask /etc/skel/.cshrc
# grep –l umask /etc/skel/.login
==========================
A good umaks could be: umask 027 - permission: 750
I hope it helps.
As you stated, you configure the failed logins in the syslog daemon.
You can use the following links to set up syslog correctly:
1. http://publib.boulder.ibm.com/infocenter/wbihelp/v6rxmx/index.jsp?topic=/com.ibm.etools.mft.eb.doc/an04230_.htm
2. http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm
In my opinion, the second one is better than the first and it has a very good explanation.
You can use the following to restart the syslog daemon:
1. As they stated above: kill -HUP `cat /var/run/syslog.pid`
2. You can go to: /etc/init.d and:
/etc/init.d# ./syslog
Usage: ./syslog { start | stop }
I am not sure if you know what is the /etc/profile: this file is loaded every time a user logs to the unix system and all environment variables and commands that are default to all users can be in this file, so you will not need to set them in each profile.
Now about the umask, you can set a default one in the "/etc/profile".
Also, you must check in the users profile(.profile in users' home directory) if there is no umask that overrides the one in the /etc/profile, and you can do this with the following commads:
==========================
# cat /etc/passwd | awk -F":" '{print $6}'|xargs -i grep –l umask {}/.profile
# grep –l umask /etc/skel/.profile
# grep –l umask /etc/skel/.cshrc
# grep –l umask /etc/skel/.login
==========================
A good umaks could be: umask 027 - permission: 750
I hope it helps.
Ops, I forgot one thing, you can use the following configuration in your "syslog.conf":
###
## Authentication related Messages
#
auth.alert /var/adm/auth.log
auth.info /var/adm/auth.log
auth.debug /var/adm/auth.log
Again, I hope it helps. =0)
###
## Authentication related Messages
#
auth.alert /var/adm/auth.log
auth.info /var/adm/auth.log
auth.debug /var/adm/auth.log
Again, I hope it helps. =0)
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
accept gheist http:#16563356
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
gheist
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
accept gheist http:#16563356
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
gheist
EE Cleanup Volunteer
ASKER