Certification Objective 7.01Monitoring System Access


Certification Objective 7.01—Monitoring System Access

Exam Objective 4.2: Monitor system access by using appropriate commands.

A computer system is only as secure as its weakest point of entry. Both keeping unauthorized users away from the system and managing the authorized users who access the system are essential. In short, monitoring system access is an important task in the arena of system security. Monitoring system access involves both watching login activities and allowing or denying logins. In order to control the access, all the users must be required to have passwords, and the passwords must be managed. Therefore, password management and login management are key to monitoring system access, which we explore in this section.

Password Management

As you learned in Chapter 6, the password is an important component of a user account. In order to control system access, passwords must be managed, beginning with making sure that every user has a password. You can issue the following command to find the users who do not have passwords:

    logins -p 

A password has important parameters related to its age that you can manage. For example, you can force users to change their passwords in a periodic fashion, or you can prevent users from changing their passwords within a specific time period. Table 7-1 shows these parameters, which you can change by editing the file /etc/default/passwd, in order to set their default values.

Table 7-1: Parameters in the file /etc/default/passwd

Parameter

Description

HISTORY

Maximum number of previous passwords the system will remember for a user, Maximum allowed value for this parameter is 26.

MAXWEEKS

Maximum time for which the password is valid.

MINWEEKS

Minimum time before which the password can be changed.

PASSLENGTH

Minimum password length in characters: 6, 7, or 8.

WARNWEEKS

Time after which the system warns the user about the password's expiration date.

The parameter values shown in Table 7-1 are the default values; they can be changed for an individual user by using the command passwd, which has the following syntax:

    passwd <username> [<options>] 

The following options are available for this command:

  • -d. Delete the password; that means the logins will not prompt for a password.

  • -f. Force the user to change password at the next login.

  • -l. Lock the account; no more logins will be allowed.

  • -n <min>. Specify the minimum number of days between two consecutive password changes.

  • -s. Display password attributes for this user.

  • -w <warn>. Specify the number of days before the expiration date, when the user will get the warning.

  • -x <max>. Specify the maximum number of days allowed between two consecutive password changes.

It's important to assign password to each user account, and users should be required to change passwords on a periodic basis. Use the passwd -l command to lock an account when it becomes necessary. Un managed passwords and accounts can create security holes in the system.

image from book
Exam Watch

The accounts can be locked by using the passwd command with the -l option, and the accounts can be deleted with the userdel command. The passwd command with -d option will not lock or delete the account.

image from book

In addition to password management, you must perform login management, which we explore next.

Login Management

Login management involves watching login activities and restricting logins altogether. Watching login activities includes finding out who is logged in and monitoring failed login attempts.

Finding Out Who Is Logged In

You can find out who is currently logged into the system by using the who command, which has the following syntax:

    who [<options>] 

Following are the most common options for this command:

  • -b. Show the time for the last reboot.

  • -d. Show the processes that have expired.

  • -H. Print column headings above the output.

  • -l. List the processes that are waiting for someone to log in.

  • -q. Quick display—show only the number of users logged in and their names. When this option is given, all other options are ignored.

  • -r. Display the system run level.

Another useful command regarding logins and logouts is the last command, which looks into the /var/adm/wtmpx file that records all logins and logouts. It displays the sessions of the specified users and terminals. For example, to display all the sessions by the root user, issue the following command:

    last root 

When the system is shut down and rebooted, the pseudo-user reboot logs in automatically. So, to get the information about the reboots, issue the following command:

    last reboot 

The output of this command includes the time and date of each reboot.

Now you know how to take a snapshot of users logged onto your system. Even more interesting is the list of users who attempted to log in to the system but failed. You should scan that list on a regular basis; you never know what you will find. But how do you generate that list? We discuss it next.

Monitoring Failed Login Attempts

Failed login attempts are automatically recorded in the file /var/adm/loginlog. All you need to do is create this file, using the following command:

    touch /var/adm/loginlog 

Subsequently, each failed login attempt will create one entry into this file, which looks like the following:

    gbush:/dev/pts/2:Tue Jan 25 10:21:21 2005    jashc:/dev/pts/2:Wed Jan 26 10:21:21 2005 

It contains the account's login name, tty device, and time of the failed attempt. You can display the file with the less, more, or cat command:

    less /var/adm/loginlog 

Note that if a user makes fewer than five unsuccessful login attempts, no attempt is recorded into the loginlog file. A growing loginlog file means someone may be attempting to break into the system.

If you want to record each failed login attempt (that is, even if someone makes only one unsuccessful attempt to log in), edit the following file:

    /etc/default/login 

In this file, set the following parameter:

    SYSLOG_FAILED_LOGINS=0 

Now, every failed login attempt will be recorded into the loginlog file.

There will be situations in which you will need to temporarily disable all user logins except the root.

Temporarily Disabling User Logins

You may need to temporarily disable all user logins—for example, during system shutdown or system maintenance. In order to prevent all non-root users from logging in, you can create the file /etc/nologin:

    touch /etc/nologin 

If this file exists, the sshd will not allow any non-root user to log in. You can optionally type a message in the file that will be displayed to anyone who attempts to log in. The world should have only the read permission for the file.

Note that this will not disable the superuser login.

Exercise 7-1: Capturing Failed Login Attempts

image from book
  1. Become superuser.

  2. Create the loginlog file as follows:

        # touch /var/adm/loginlog 

  3. Set the read and write permissions for the superuser on the loginlog file with the following command:

        # chmod 600 /var/adm/loginlog 

  4. Change the group membership of the loginlog file to sys as follows:

        # chgrp sys /var/adm/loginlog 

  5. Verify that the loginlog file works. For example, try to log in to the system five or more times with the wrong password. After each attempt display the /var/adm/loginlog file:

        # less /var/adm/loginlog 

You will see that after five attempts you will get the log for the failed attempts in the loginlog file, which would look like the following:

    jkerry:/dev/pts/2:Fri Feb 4 11:25:10 2005    jkerry:/dev/ptS/2:Fri Feb 4 11:25:20 2005    jkerry:/dev/ptg/2:Fri Feb 4 11:25:30 2005    jkerry:/dev/pts/2:Fri Feb 4 11:25:41 2005    jkerry:/dev/pts/2:Fri Feb 4 11:25:55 2005 

image from book

When you perform security tasks, you may need to switch from account to account. We discuss next how to do that efficiently.




Sun Certified System Administrator for Solaris 10 Study Guide Exams 310-XXX & 310-XXX
Sun Certified System Administrator for Solaris 10 Study Guide Exams 310-XXX & 310-XXX
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net