Re: HIDS for logon authentication

From: Skip Carter (skip_at_taygeta.com)
Date: 05/22/04

  • Next message: harald_at_deppeler.org: "Re: HIDS for logon authentication" 
    To: focus-ids@securityfocus.com
Date: Fri, 21 May 2004 17:24:11 -0700

    > I am looking for a Host-Based IDS that can monitor and alarm on remote logons on Solaris 8.
    >
    .......
    >
    > If this was all I wanted to do than I would probably looking at something like secure syslog, or a similar log-parsing tool, but we really want the other HIDS functionality as well, and I am keen to avoid having to write custom scripts.
    >
    > The primary requirement is to be able to create alarms based on people logging onto the system, and failing to logon. However, we still want some other HIDS functionality.
    >
    > I was taking it for granted that most HIDS would be able to detect and alarm on logons, but it seems I was wrong :-(

      The PAM module pam_login_alert can be used to generate a syslog and/or email
    upon login (or even an ATTEMPT to login).
      I use it here, modified to include an option for an SMS message to my cell
    phone. I have had good luck with getting PAM
      modules originally written for Linux to run on Solaris (and vice versa).

      The nice thing about using PAM is that ANY authentication sequence can be
    (potentially) managed with it, not just logins.

      (the bad thing about it, is that you can totally hose a system if you make a
    mistake in the configuration!
         -- you have to break into it in order to fix it)

    Skip 

    -- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip@taygeta.com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940

  • Next message: harald_at_deppeler.org: "Re: HIDS for logon authentication"

    Relevant Pages