Re: HIDS for logon authentication

[Skip Carter <skip () taygeta com>]

> I am looking for a Host-Based IDS that can monitor and alarm on remote logons on Solaris 8.
.......
> If this was all I wanted to do than I would probably looking at something like secure syslog, or a similar 
> log-parsing tool, but we really want the other HIDS functionality as well, and I am keen to avoid having to write 
> custom scripts.
>
> The primary requirement is to be able to create alarms based on people logging onto the system, and failing to logon. 
> However, we still want some other HIDS functionality.
>
> I was taking it for granted that most HIDS would be able to detect and alarm on logons, but it seems I was wrong :-(

  The PAM module pam_login_alert can be used to generate a syslog and/or email 
upon login (or even an ATTEMPT to login).
  I use it here, modified to include an option for an SMS message to my cell 
phone.  I have had good luck with getting PAM
  modules originally written for Linux to run on Solaris (and vice versa).

  The nice thing about using PAM is that ANY authentication sequence can be 
(potentially) managed with it, not just logins.

  (the bad thing about it, is that you can totally hose a system if you make a 
mistake in the configuration!
     -- you have to break into it in order to fix it)






Skip




-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940

Attachment: _bin
Description: