HPE Community
Operating System - Linux
1829608 Members
1376 Online
109992 Solutions
New Discussion

Re: security questions

 
Charles McCary
Valued Contributor

‎09-14-2005 06:23 AM

‎09-14-2005 06:23 AM

security questions

Group, have a couple of questions as relates to SOX and linux. Need to know how to do the following if possible:

1) Disable an account after three consecutive unsuccessful login attempts (I know I know - denial of service, I can live with that).

2) How can I track unsuccessful logins over the long-term?

3) How can I track su attempts over the long-term.

Running Red Hat Linux 3.2.3-42

Any help will be greatly appreciated.

THANKS

0 Kudos
7 REPLIES 7
Steven E. Protter
Exalted Contributor

‎09-14-2005 08:23 AM

‎09-14-2005 08:23 AM

Re: security questions

you have a command called lastb

That will let you process the btmp file.

All you have to do is this:

lastb | sort -u > datafile

while read -r username
numbad=$(lastb | grep username | wc -l)
if [ $numbad -ge 3 ]
passwd -l $username
done < datafile

You may wish to process the datafile with awk so that it is a pure user list and nothing else.

| awk 'print $1'

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Charles McCary
Valued Contributor

‎09-14-2005 08:27 AM

‎09-14-2005 08:27 AM

Re: security questions

Steve,

I appreciate the feedback, I'm aware of lastb, but was looking for something more sophisticated (as in being able to set this somewhere, like I do on hp trusted system.)

Anyway, if I use your script that's not necessarily the last three "consecutive" logins right, it's just any three bad logins that could have occured any time, unless I'm confused about how lastb works.

C
0 Kudos
Ivan Ferreira
Honored Contributor

‎09-14-2005 09:04 AM

‎09-14-2005 09:04 AM

Re: security questions

1) You need to configure the pam_tally module.

2) /var/log/secure and lastb

3) Add to the /etc/pam.d/su file the following:

session required /lib/security/$ISA/pam_warn.so
session optional /lib/security/$ISA/pam_lastlog.so

Now, using the last command you will see if the user has logon on the system, and the messages file will register the access using su.


Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Robert Walker_8
Valued Contributor

‎09-14-2005 02:11 PM

‎09-14-2005 02:11 PM

Re: security questions

Hi,

Just an word of warning with pam_lastlog.so it doesnt write to wtmp file on logout (see man pam_lastlog.so) so you end up with "gone - no logout" when you run the last command.

Drove me nuts as we had pam_lastlog.so in all pam modules to track su'ing and ssh etc.

Just a bit more noise in the advice on life :)

Robert.

As for the wanting to lock a user out after X attempts - I found this seems to work in the system-auth file (RHEL4):

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset
0 Kudos
Charles McCary
Valued Contributor

‎09-15-2005 12:55 AM

‎09-15-2005 12:55 AM

Re: security questions

Group,

I'll give these a try...thanks.

c
0 Kudos
dirk dierickx
Honored Contributor

‎09-27-2005 09:39 PM

‎09-27-2005 09:39 PM

Re: security questions

i just want to add that point 2 and 3 you should be able to cover with something like 'logwatch', it will send you a daily report of these activities.
0 Kudos
Rick Garland
Honored Contributor

‎09-28-2005 02:00 AM

‎09-28-2005 02:00 AM

Re: security questions

Using the PAM modules and doing some configurations in the /etc/pamd.d/system-auth file

http://www.puschitz.com/SecuringLinux.shtml

Here are some of the Table of Contents. Notice that locking accounts after too many logins is included.

* Disabling System Services
* Checking Accounts
* Enabling Password Aging
* Enforcing Stronger Passwords
* Restricting Use of Previous Passwords
* Locking User Accounts After Too Many Login Failures
* Restricting Direct Login Access for System and Shared Accounts
* Restricting su Access to System and Shared Accounts
* Restricting System Access from Servers and Networks
* Preventing Accidental Denial of Service
* Checking File Permissions and Ownership

Gotta hit the URL I posted. A very good site for this type of issue!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.