Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Modifying system to record failed logins and changing UMASK to 027

Posted on 2006-04-28
21
Medium Priority
?
416 Views
Last Modified: 2010-08-05
I'm trying to "correct" errors that our security auditor found.  Since my UNIX skills are weak, I am resistant to make his changes automatically.  Here is one of his findings:
+++++++++++++++++++++++++++++++++++++++++++++++++++
During our check to identify whether failed logins are logged and determine whether the log files are world-writeable, we noted that ECSU is not logging failed logins to log files.  This is so because of the following reasons:
•      Failed login is not defined in the “syslog.conf” log file.
•      Failed login is not defined in the “failed logins” log file.
•      Monitoring at the console is not occurring over the weekends.  Also
Also the UMASK is set to a number (UMASK=022).  

All failed login attempts on the UNIX system should be defined and recorded in the “syslog.conf” and the “failed logins” log files.
Recommendation:  Management should make it a priority to log all failed logins on the UNIX system to the “syslog.conf” and the “failed logins” log files.  Monitoring at the console should be occurring over the weekends so that multiple failed login attempts could be detected if hackers performed hacking attempts over the weekends.  Although this is appropriate, it is suggested that this should be set to (UMASK=027), which is much stronger than (UMASK=022).
+++++++++++++++++++++++++++++++++++++++++++++++++++
My question is how do I do what he wants me do accomplish on my server?  
How do I modify the syslog.conf file?  Any ideas what are the "failed logins" log files? and where do I change the UMASK?
Thanks,
Jack
ps:  I will be posting other questions relating to this audit, this weekend.  What a wonderful way to spend a weekend.
Also,  my server is SunOS sunsvr01 5.9 Generic_118558-16 sun4u sparc SUNW,Sun-Fire-280R

0
Comment
Question by:Jack Seaman
  • 9
  • 8
  • 2
  • +1
20 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 2000 total points
ID: 16563356
in syslog.conf:

security.debug;auth.info;authpriv.info                         /var/adm/failedlogin.log

0
 

Author Comment

by:Jack Seaman
ID: 16564481
I added the line in syslog.conf and tested by trying to log on with an incorrect password.  the failedlogin.log was not created.  So, I created the failedlogin.log and tried again.  Still no entry in the log file.  What am I doing incorrectly?
0
 
LVL 6

Expert Comment

by:bira
ID: 16564843
Default File Permissions (umask)
Whenever you create a new file, its protection mode is set to some default value,
 called your "umask". Normally, that value is "755", which means that directories will
 get created with mode 755, and files will get created with mode 644 (no execute).
 If you wish to change this default value, use the command umask. To change it,
  type umask three-octal-digits, where three-octal-digits is the complement of the mode
   you want. For example, to set your default mode to 755, type umask 022. To see your
   default protection value, simply type umask.
umask is really a shell command, not a UNIX command.
 Type man tcsh to learn more about it.
If you change your umask value, this new value lasts only until you log out.
To make it permanent, put a umask command in
 your `~/.cshrc' file.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 62

Expert Comment

by:gheist
ID: 16566533
After modifying syslog.conf do kill -HUP `cat /var/run/syslog.pid`
So it rereads configuration.

Creating file was right idea. Make sure this file cannot be read by everyone on system.
0
 

Author Comment

by:Jack Seaman
ID: 16576911
I was unable to get back to this issue over the weekend...

If I use the command kill -HUP `cat /var/run/syslog.pid`
what causes it to reread the configuartion file "syslog.conf"? Or is there something else I have to do?

As for UNMASK=27 issue, I will need some more specific instructions on how to change the UNMASK=22 to UNMASK=27.  I want to change it for everyone.

TIA
Jack
0
 
LVL 62

Expert Comment

by:gheist
ID: 16580332
umask is  changed in /etc/profile and /etc/.login
0
 
LVL 62

Expert Comment

by:gheist
ID: 16580348
Hell no - not UNMASK but UMASK.
or in /etc/defaults/login if before profiles.
0
 

Author Comment

by:Jack Seaman
ID: 16588509
I have made the change for UMASK.  Easy enough to do.  Still a little unclear about syslog.conf

If I use the command kill -HUP `cat /var/run/syslog.pid`
what causes it to reread the configuartion file "syslog.conf"? Or is there something else I have to do?

Thanks
Jack
0
 
LVL 62

Expert Comment

by:gheist
ID: 16590469
The SIGHUP signal, as processed by syslog daemon...
0
 

Author Comment

by:Jack Seaman
ID: 16590626
By that, you mean, there is nothing else I need to do other than
kill -HUP `cat /var/run/syslog.pid`
0
 

Author Comment

by:Jack Seaman
ID: 16614984
Will this syslog daemon restart after the kill command?
0
 
LVL 62

Expert Comment

by:gheist
ID: 16615062
YES.
refer to syslogd and kill manual pages of your UNIX, or OpenBSD system
0
 

Author Comment

by:Jack Seaman
ID: 16617241
There must be something I am doing wrong.  It still will not log.  In /var/adm/messages, I get:
May  5 14:12:53 sunsvr01 syslogd: line 14: unknown priority name "info          /var/adm/failedlogin.log"

How do I set the priority?  I've looked at syslogd manual and don't understand.
0
 

Author Comment

by:Jack Seaman
ID: 16617367
I've looked in the syslog.conf manual, do I need to change

security.debug;auth.info;authpriv.info          /var/adm/failedlogin.log

to

*.err;security.debug;auth.info;authpriv.info          /var/adm/failedlogin.log

to set the priority?
0
 
LVL 62

Expert Comment

by:gheist
ID: 16619054
Yours first overrides my latest two.
You have to check for yourself.
0
 

Author Comment

by:Jack Seaman
ID: 16630233
Now I am confused.  I don't understand your latest comment.  Please explain further.
Thanks,
Jack
0
 
LVL 62

Expert Comment

by:gheist
ID: 16630623
*.err includes both *.info entries
0
 
LVL 3

Expert Comment

by:root_start
ID: 16647619
Hi wjseaman,

As you stated, you configure the failed logins in the syslog daemon.
You can use the following links to set up syslog correctly:
1. http://publib.boulder.ibm.com/infocenter/wbihelp/v6rxmx/index.jsp?topic=/com.ibm.etools.mft.eb.doc/an04230_.htm
2. http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm

In my opinion, the second one is better than the first and it has a very good explanation.

You can use the following to restart the syslog daemon:
1. As they stated above: kill -HUP `cat /var/run/syslog.pid`
2. You can go to: /etc/init.d and:
    /etc/init.d# ./syslog
    Usage: ./syslog { start | stop }

I am not sure if you know what is the /etc/profile: this file is loaded every time a user logs to the unix system and all environment variables and commands that are default to all users can be in this file, so you will not need to set them in each profile.
Now about the umask, you can set a default one in the "/etc/profile".
Also, you must check in the users profile(.profile in users' home directory) if there is no umask that overrides the one in the /etc/profile, and you can do this with the following commads:
=====================================================================
# cat /etc/passwd | awk -F":" '{print $6}'|xargs -i grep –l umask {}/.profile
# grep –l umask /etc/skel/.profile
# grep –l umask /etc/skel/.cshrc
# grep –l umask /etc/skel/.login
=====================================================================

A good umaks could be: umask 027 - permission: 750

I hope it helps.
0
 
LVL 3

Expert Comment

by:root_start
ID: 16647649
Ops, I forgot one thing, you can use the following configuration in your "syslog.conf":

###
## Authentication related Messages
#
auth.alert      /var/adm/auth.log
auth.info       /var/adm/auth.log
auth.debug      /var/adm/auth.log

Again, I hope it helps. =0)
0
 
LVL 62

Expert Comment

by:gheist
ID: 16928830
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:

accept gheist http:#16563356 

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

gheist
EE Cleanup Volunteer
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses
Course of the Month21 days, 1 hour left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question