IDS mailing list archives
Re: HIDS for logon authentication
From: Skip Carter <skip () taygeta com>
Date: Fri, 21 May 2004 17:24:11 -0700
I am looking for a Host-Based IDS that can monitor and alarm on remote logons on Solaris 8.
.......
If this was all I wanted to do than I would probably looking at something like secure syslog, or a similar log-parsing tool, but we really want the other HIDS functionality as well, and I am keen to avoid having to write custom scripts. The primary requirement is to be able to create alarms based on people logging onto the system, and failing to logon. However, we still want some other HIDS functionality. I was taking it for granted that most HIDS would be able to detect and alarm on logons, but it seems I was wrong :-(
The PAM module pam_login_alert can be used to generate a syslog and/or email upon login (or even an ATTEMPT to login). I use it here, modified to include an option for an SMS message to my cell phone. I have had good luck with getting PAM modules originally written for Linux to run on Solaris (and vice versa). The nice thing about using PAM is that ANY authentication sequence can be (potentially) managed with it, not just logins. (the bad thing about it, is that you can totally hose a system if you make a mistake in the configuration! -- you have to break into it in order to fix it) Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940
Attachment:
_bin
Description:
Current thread:
- HIDS for logon authentication Joe Dauncey (May 21)
- Re: HIDS for logon authentication Skip Carter (May 22)
- Re: HIDS for logon authentication Sam Stover (May 22)
- Re: HIDS for logon authentication harald (May 22)
- RE: HIDS for logon authentication Jason J. W. Williams (May 22)
- <Possible follow-ups>
- Re: HIDS for logon authentication Drew Simonis (May 23)