Section 16.8 Building on Your Example for Automatic Paging

16.8 Building on Your Example for Automatic Paging

You wrote your script in that particular way because it allows you to easily scan for other events and generate custom pages for them. In a large system, some people will have weak passwords (unless you ensure that easily cracked passwords are not allowed as discussed in Part I).

Thus, a common technique is to guess the password of some ordinary user as the first step in breaking in, followed by trying to su to root. (Part I discusses how to configure your system so that root may log in only from a physically secure console and not via telnet from somewhere in crackerdom.)

Certainly, you will want to be paged in case of failed su attempts. The su program also logs failed attempts via auth.notice. Thus, simply add a few lines to your script and restart it.

 #!/bin/csh -f loop: set x="$<" echo "$x" | grep -q ': invalid password' if ( $status == 0 ) then   echo "$x" \   | sed "s/^... .. ..:..:.. \([^ ]*\).*: invalid password for /BAD PW:\1:/" \   | Mail 1234567@skytel.com endif echo "$x" | grep -q 'su\[.*: Authentication failed' if ( $status == 0 ) then   echo "$x" \   | sed "s/^... .. ..:..:.. \([^ ]*\).*: Authentication failed for /BAD SU:\1:/" \   | Mail 1234567@skytel.com endif goto loop 

This will yield the following page on an unsuccessful su to root:

 BAD SU:cavu:root 

You did not need to send a HANGUP to syslogd because its configuration file has not changed.

This second example principally shows how to add handling for other messages to a single script. It sure would be helpful to know which account attempted to su to root and on which terminal, so you do not get disturbed if your assistant was tweaking the system some evening.

The su program does log this additional information, but at the debug level. Because lots of other programs log detailed security-related information at this level, send all of it through your script and you can pick which messages to page on. Thus, edit /etc/syslog.conf to show the following and send a SIGHUP to syslogd:

 auth.*   |/usr/local/etc/syslog_auth 

(You also could choose to handle some of them in other ways such as e-mail to your account, possibly on another system. In a successful cracking, all of your "trip wires" become disabled, but by having them near all the entrances so as to get "the warning" beyond the system before it is compromised, you still will get the warning and hopefully in time to stop the cracker.)

The raw log message looks like the following:

 Nov 24 13:13:18 cavu su[426]: - ttyp2 bob-root 

The following script will handle this nicely. (It may be invoked from any shell.)

 #!/bin/csh -f loop: set x="$<" echo "$x" | grep -q ': invalid password' if ( $status == 0 ) then   echo "$x" \   | sed "s/^... .. ..:..:.. \([^ ]*\).*: invalid password for /BAD PW:\1:/" \   | Mail 1234567@skytel.com endif echo "$x" | grep -q 'su\[.*: -' if ( $status == 0 ) then   echo "$x" \   | sed -e "s/^... .. ..:..:.. \([^ ]*\).*: - /BAD SU:\1:/" \   | Mail 1234567@skytel.com bob@homesys.com bob@pentacorp.com endif goto loop 

This will generate the following page, where "-" is changed to "->" to indicate that bob is trying to become warren rather than the other way. It is important to make these pages very easy to understand because you may be woken out of a sound sleep at 3 A.M. by one and may not be at your mental best.

 BAD SU:cavu:ttyp2 bob->warren 

In this script you also arranged to receive e-mail on your home and work systems. The truly cautious do not want any evidence of their home system address that a cracker might use to expand his horizons. One solution is to address this e-mail to a third system that should be very secure, which then forwards the e-mail to your home system. There are a number of public re-mailers that could be used.