TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Okey.
Since I posted my last message on 'issforum' I've recieved a couple of mails
asking me to give some more information on how I configured RS OS sensors 5.0
for AIX.
I will give a _very_ short description on the basics of my implementation, but
for
security reasons I will not post my policy files here (you can all understand
why!)
I hope this can help some of you experiencing "problems" with the OS sensor for
AIX or other
UNIX systems. If you still have problems, I can maybe post some more "issues",
but I will NOT do
the configuration for you all :)
Enjoy the configuring of RealSecure OS sensor 5.0. Keep it up....
Be happy to hear how you're all doing here on issforum...
Gunnar Alendal
Systems Specialist
Bull AS
Norway
[EMAIL PROTECTED]
First: You all know that the OS sensor for UNIX is "log dependent" i.e. it looks
at "readable"
(e.g. ASCII) logfiles for so called 'events' is should trigger (send an
alert).
This means is looks at single(!) lines written to a logfile. The
'signature' just tells
the sensor what (text) to look for.
Second: The signatures delivered with RealSecure OS sensor 5.0 for UNIX (UNIX
Syslog Events)
are configured with SUN Solaris in mind, and I don't even _think_ ISS meant
this to be
"UNIX independent". These signatures are written for Solaris' syslog deamon
which tends to
write different events in the syslog than the AIX syslog deamon does. This
is why many of you
see some nice logging in the syslog, but don't get any alerts in the OS
sensor: The sensor
is looking for a different text!! :(
So for all of you thinking OS sensor supports AIX with many, nice,
predefined events: Sorry! :(
So what do you do: Write your own 'signatures' in "User Defined Events"!!!
Third: You CANNOT write your own correlation rules in RealSecure!! This is why
you CANNOT configure
a signature with "Don't send an alarm until this event has happend 5 times"
(e.g. you don't want an alarm on ONE failed login, but maybe after 5 failed
logins)
THIS IS THE MOST IMPORTANT FAILURE WITH REALSECURE OS SENSOR!!! (can you
hear me ISS?!)
Okey, on to the configuation:
AUDIT:
To get the most out of AIX logging, use the 'audit' log system, configured
under
/etc/security/audit/ I will NOT teach you guys how to configure audit, but
I can tell
you that this is the worst job! :)
See this link for information:
http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds1/audit.htm
IMPORTANT information: audit comes with two 'modes'; BIN mode and STREAM
mode. BIN mode logs to binary
logfiles (default the /audit/trail, /.../bin1 and /.../bin2 files). STREAM
mode logs to ASCII written
logfiles (default the /audit/stream.out file). The OS sensor needs an
"text" logg, so /audit/stream.out
is the file you set up the OS sensor to use.
Note that the STREAM mode is dependent on the BIN mode so you have to use
both modes to get the /audit/stream.out
log correctly working!!
Remember this: To much audit takes much system resources! Keep audit
logging to a minimum required.
I apply a filter on the stream.out file so it doesn't write events I don't
want to trigger in the OS sensor. This saves
the AIX system alot!
OS Sensor:
You then decide to make an "User Defined Event" to trigger on a "USER_Login
... FAIL_AUTH" event from the
/audit/stream.out file. Basically you can trigger on any text in a single
line, from any ASCII logfile.
- You just add a new event under the "Log rules" section of your AIX policy
and call it whatever you
prefer. (e.g Failed_login-bad_username_or_password)
- You have to tell which logfile to watch, so configure /audit/stream.out
to the event (under "Use Logs")
- You have to tell the event to trigger on the "USER_Login ... FAIL_AUTH",
so you write a standard regular
expression: USER_Login *([^ ]*) *([^ ]*) *([^ ]*) *([^ ]*) *([^ ]*)
*FAIL_AUTH
(don't mind all the mess in the middle, just let it be in there)
- save this policy, and apply to the AIX sensor and basically you're
done....
There are still things you can do e.g. configure infofields of the sensor
alarm, responses, etc.
These are "cosmetic", so you can play with these on you own :)
Below is the alert described above as it is written in the policy file (my
own implementation, so watch the
'Info' section. You won't get this to work, cause you'll have to have my
audit configuration!):
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\];
Enabled =B 1;
Priority =L 2;
Regular Expression =S USER_Login *([^ ]*) *([^ ]*) *([^ ]*) *([^ ]*)
*([^ ]*) *FAIL_AUTH;
Logs =S stream.out;
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\Response\];
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\Response\BANNER\];
Enabled =B 0;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\Response\DISABLE\];
Enabled =B 0;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\Response\SUSPEND\];
Enabled =B 0;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\Response\RSKILL\];
Enabled =B 0;
Choice =S ;
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\Response\DISPLAY\];
Enabled =B 1;
Choice =S Default;
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\Response\LOGDB\];
Enabled =B 1;
Choice =S LogWithoutRaw;
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\Response\SNMP\];
Enabled =B 1;
Choice =S Default;
[\Advanced\userdefinedsignatures\SysLog
Rules\Failed_login-bad_username_or_password\Info\];
_Message =S Failed login, wrongful authentication. Most likely wrongful
password / unknown user. Check the log!;
Command =S @Field1;
EventCode =S @Field0;
LogType =S /audit/stream.out;
ProcessID =S @Field4;
ProcessID, parent =S @Field5;
UserInfo =S user: {!};
