Re: HIDS for logon authentication
From: Skip Carter (skip_at_taygeta.com)
To: email@example.com Date: Fri, 21 May 2004 17:24:11 -0700
> I am looking for a Host-Based IDS that can monitor and alarm on remote logons on Solaris 8.
> If this was all I wanted to do than I would probably looking at something like secure syslog, or a similar log-parsing tool, but we really want the other HIDS functionality as well, and I am keen to avoid having to write custom scripts.
> The primary requirement is to be able to create alarms based on people logging onto the system, and failing to logon. However, we still want some other HIDS functionality.
> I was taking it for granted that most HIDS would be able to detect and alarm on logons, but it seems I was wrong :-(
The PAM module pam_login_alert can be used to generate a syslog and/or email
upon login (or even an ATTEMPT to login).
I use it here, modified to include an option for an SMS message to my cell
phone. I have had good luck with getting PAM
modules originally written for Linux to run on Solaris (and vice versa).
The nice thing about using PAM is that ANY authentication sequence can be
(potentially) managed with it, not just logins.
(the bad thing about it, is that you can totally hose a system if you make a
mistake in the configuration!
-- you have to break into it in order to fix it)
-- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: firstname.lastname@example.org 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940
- application/pgp-signature attachment: stored