topic Re: security questions in Operating System - Linux

security questions

Charles McCary — Wed, 14 Sep 2005 13:23:46 GMT

Group, have a couple of questions as relates to SOX and linux. Need to know how to do the following if possible:

1) Disable an account after three consecutive unsuccessful login attempts (I know I know - denial of service, I can live with that).

2) How can I track unsuccessful logins over the long-term?

3) How can I track su attempts over the long-term.

Running Red Hat Linux 3.2.3-42

Any help will be greatly appreciated.

THANKS

Re: security questions

Steven E. Protter — Wed, 14 Sep 2005 15:23:49 GMT

you have a command called lastb

That will let you process the btmp file.

All you have to do is this:

lastb | sort -u > datafile

while read -r username
numbad=$(lastb | grep username | wc -l)
if [ $numbad -ge 3 ]
passwd -l $username
done < datafile

You may wish to process the datafile with awk so that it is a pure user list and nothing else.

| awk 'print $1'

SEP

Re: security questions

Charles McCary — Wed, 14 Sep 2005 15:27:05 GMT

Steve,

I appreciate the feedback, I'm aware of lastb, but was looking for something more sophisticated (as in being able to set this somewhere, like I do on hp trusted system.)

Anyway, if I use your script that's not necessarily the last three "consecutive" logins right, it's just any three bad logins that could have occured any time, unless I'm confused about how lastb works.

C

Re: security questions

Ivan Ferreira — Wed, 14 Sep 2005 16:04:14 GMT

1) You need to configure the pam_tally module.

2) /var/log/secure and lastb

3) Add to the /etc/pam.d/su file the following:

session required /lib/security/$ISA/pam_warn.so
session optional /lib/security/$ISA/pam_lastlog.so

Now, using the last command you will see if the user has logon on the system, and the messages file will register the access using su.

Re: security questions

Robert Walker_8 — Wed, 14 Sep 2005 21:11:05 GMT

Hi,

Just an word of warning with pam_lastlog.so it doesnt write to wtmp file on logout (see man pam_lastlog.so) so you end up with "gone - no logout" when you run the last command.

Drove me nuts as we had pam_lastlog.so in all pam modules to track su'ing and ssh etc.

Just a bit more noise in the advice on life :)

Robert.

As for the wanting to lock a user out after X attempts - I found this seems to work in the system-auth file (RHEL4):

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset

Re: security questions

Charles McCary — Thu, 15 Sep 2005 07:55:50 GMT

Group,

I'll give these a try...thanks.

c

Re: security questions

dirk dierickx — Wed, 28 Sep 2005 04:39:05 GMT

i just want to add that point 2 and 3 you should be able to cover with something like 'logwatch', it will send you a daily report of these activities.

Re: security questions

Rick Garland — Wed, 28 Sep 2005 09:00:29 GMT

Using the PAM modules and doing some configurations in the /etc/pamd.d/system-auth file

http://www.puschitz.com/SecuringLinux.shtml

Here are some of the Table of Contents. Notice that locking accounts after too many logins is included.

* Disabling System Services
* Checking Accounts
* Enabling Password Aging
* Enforcing Stronger Passwords
* Restricting Use of Previous Passwords
* Locking User Accounts After Too Many Login Failures
* Restricting Direct Login Access for System and Shared Accounts
* Restricting su Access to System and Shared Accounts
* Restricting System Access from Servers and Networks
* Preventing Accidental Denial of Service
* Checking File Permissions and Ownership

Gotta hit the URL I posted. A very good site for this type of issue!