Professional Web Applications Themes

Configuring Account Security on Solaris 8 - Sun Solaris

Doug wrote: > Can anyone help with some account problems my employer has set me as we > are currently being audited for security. He comes from a micro$oft > background and wants the same features for Solaris. So have you any > ideas how I can:- > > > Lock an account after a predeterminded number of failed logins (in > this case three). If there is a way of setting a timed lock out > and/or having the administrator reset the account even better. > > Set a time between login attempts (two seconds). > > Set a ...

  1. #1

    Default Re: Configuring Account Security on Solaris 8

    Doug wrote:
    > Can anyone help with some account problems my employer has set me as we
    > are currently being audited for security. He comes from a micro$oft
    > background and wants the same features for Solaris. So have you any
    > ideas how I can:-
    >
    >
    > Lock an account after a predeterminded number of failed logins (in
    > this case three). If there is a way of setting a timed lock out
    > and/or having the administrator reset the account even better.
    >
    > Set a time between login attempts (two seconds).
    >
    > Set a timeout after thirty minutes of inactivety, booting out the user.
    >
    >
    > I have heard that I will need to use trusted Solaris but this would mean
    > upgrading thirty five machines which doesn't appeal.
    >
    > Any help you can offer would be very much appreciated.
    >
    > Thanks in advance
    >
    > Doug
    >
    >

    Read the login(1) manual Page !

    In /etc/default/login config file you can set :

    SYSLOG
    Determines whether the syslog(3C) LOG_AUTH facility
    should be used to log all root logins at level LOG_NOTICE
    and multiple failed login attempts atLOG_CRIT.

    SLEEPTIME
    If present, sets the number of seconds to wait before
    login failure is printed to the screen and another login
    attempt is allowed. Default is 4 seconds. Minimum is 0 seconds.
    Maximum is 5 seconds.

    RETRIES

    Sets the number of retries for logging in (see pam(3PAM)).
    The default is 5.

    SYSLOG_FAILED_LOGINS

    Used to determine how many failed login attempts will be
    allowed by the system before a failed login message is
    logged, using the syslog(3C) LOG_NOTICE facility. For example,
    if the variable is set to 0, login will log all failed
    login attempts.


    IN SOLARIS9 YOU CAN ALSO SET:

    DISABLETIME
    If present, and greater than zero, the number of
    seconds that login will wait after RETRIES
    failed attempts or the PAM framework returns
    PAM_ABORT. Default is 20 seconds. Minimum is 0
    seconds. No maximum is imposed.



    ---------------
    Read the passwd(1) manual page


    in the config file /etc/default/passwd you can set :

    MAXWEEKS
    Maximum time period that password is valid.

    MINWEEKS
    Minimum time period before the password can be changed.

    PASSLENGTH
    Minimum length of password, in characters.

    WARNWEEKS
    Time period until warning of date of password's ensuing expiration.

    ---------

    Read the ksh(1) manpage


    If you force people to use a SHELL with a timeout function
    ( Ksh ) you can set the timeout in /etc/profile

    TMOUT=60
    export TMOUT



    TMOUT If set to a value greater than zero, the shell will
    terminate if a command is not entered within the
    prescribed number of seconds after issuing the PS1
    prompt. (Notice that the shell can be compiled with a
    maximum bound for this value which cannot be
    exceeded.)

    -------------
    Read the loginlog(4) man page


    $ man loginlog
    Reformatting page. Please Wait... done

    File Formats loginlog(4)

    NAME
    loginlog - log of failed login attempts

    DESCRIPTION
    After five unsuccessful login attempts, all the attempts are
    logged in the file /var/adm/loginlog. This file contains one
    record for each failed attempt. Each record contains the
    login name, tty specification, and time.

    This is an ASCII file. Each field within each entry is
    separated from the next by a colon. Each entry is separated
    from the next by a new-line.

    By default, loginlog does not exist, so no logging is done.
    To enable logging, the log file must be created with read
    and write permission for owner only. Owner must be root and
    group must be sys.

    FILES
    /var/adm/loginlog

    SEE ALSO
    login(1), passwd(1)



    --
    ================================================== ======
    Lars Tunkrans
    smtp: lars dot tunkrans at bredband dot net
    --------------------------------------------------------

    Lars Tunkrans Guest

  2. #2

    Default Re: Configuring Account Security on Solaris 8

    Thanks Lars,

    I give it a go


    "Lars Tunkrans" <lars.tunkrans.nospambredband.net> wrote in message
    news:DBnKa.7191$GK.85news2.bredband.com...
    > Doug wrote:
    > > Can anyone help with some account problems my employer has set me as we
    > > are currently being audited for security. He comes from a micro$oft
    > > background and wants the same features for Solaris. So have you any
    > > ideas how I can:-
    > >
    > >
    > > Lock an account after a predeterminded number of failed logins (in
    > > this case three). If there is a way of setting a timed lock out
    > > and/or having the administrator reset the account even better.
    > >
    > > Set a time between login attempts (two seconds).
    > >
    > > Set a timeout after thirty minutes of inactivety, booting out the
    user.
    > >
    > >
    > > I have heard that I will need to use trusted Solaris but this would mean
    > > upgrading thirty five machines which doesn't appeal.
    > >
    > > Any help you can offer would be very much appreciated.
    > >
    > > Thanks in advance
    > >
    > > Doug
    > >
    > >
    >
    >
    > Read the login(1) manual Page !
    >
    > In /etc/default/login config file you can set :
    >
    > SYSLOG
    > Determines whether the syslog(3C) LOG_AUTH facility
    > should be used to log all root logins at level LOG_NOTICE
    > and multiple failed login attempts atLOG_CRIT.
    >
    > SLEEPTIME
    > If present, sets the number of seconds to wait before
    > login failure is printed to the screen and another login
    > attempt is allowed. Default is 4 seconds. Minimum is 0 seconds.
    > Maximum is 5 seconds.
    >
    > RETRIES
    >
    > Sets the number of retries for logging in (see pam(3PAM)).
    > The default is 5.
    >
    > SYSLOG_FAILED_LOGINS
    >
    > Used to determine how many failed login attempts will be
    > allowed by the system before a failed login message is
    > logged, using the syslog(3C) LOG_NOTICE facility. For example,
    > if the variable is set to 0, login will log all failed
    > login attempts.
    >
    >
    > IN SOLARIS9 YOU CAN ALSO SET:
    >
    > DISABLETIME
    > If present, and greater than zero, the number of
    > seconds that login will wait after RETRIES
    > failed attempts or the PAM framework returns
    > PAM_ABORT. Default is 20 seconds. Minimum is 0
    > seconds. No maximum is imposed.
    >
    >
    >
    > ---------------
    > Read the passwd(1) manual page
    >
    >
    > in the config file /etc/default/passwd you can set :
    >
    > MAXWEEKS
    > Maximum time period that password is valid.
    >
    > MINWEEKS
    > Minimum time period before the password can be changed.
    >
    > PASSLENGTH
    > Minimum length of password, in characters.
    >
    > WARNWEEKS
    > Time period until warning of date of password's ensuing expiration.
    >
    > ---------
    >
    > Read the ksh(1) manpage
    >
    >
    > If you force people to use a SHELL with a timeout function
    > ( Ksh ) you can set the timeout in /etc/profile
    >
    > TMOUT=60
    > export TMOUT
    >
    >
    >
    > TMOUT If set to a value greater than zero, the shell will
    > terminate if a command is not entered within the
    > prescribed number of seconds after issuing the PS1
    > prompt. (Notice that the shell can be compiled with a
    > maximum bound for this value which cannot be
    > exceeded.)
    >
    > -------------
    > Read the loginlog(4) man page
    >
    >
    > $ man loginlog
    > Reformatting page. Please Wait... done
    >
    > File Formats loginlog(4)
    >
    > NAME
    > loginlog - log of failed login attempts
    >
    > DESCRIPTION
    > After five unsuccessful login attempts, all the attempts are
    > logged in the file /var/adm/loginlog. This file contains one
    > record for each failed attempt. Each record contains the
    > login name, tty specification, and time.
    >
    > This is an ASCII file. Each field within each entry is
    > separated from the next by a colon. Each entry is separated
    > from the next by a new-line.
    >
    > By default, loginlog does not exist, so no logging is done.
    > To enable logging, the log file must be created with read
    > and write permission for owner only. Owner must be root and
    > group must be sys.
    >
    > FILES
    > /var/adm/loginlog
    >
    > SEE ALSO
    > login(1), passwd(1)
    >
    >
    >
    > --
    > ================================================== ======
    > Lars Tunkrans
    > smtp: lars dot tunkrans at bredband dot net
    > --------------------------------------------------------
    >

    Doug Guest

  3. #3

    Default Re: Configuring Account Security on Solaris 8

    Doug wrote:
    >
    > Set a timeout after thirty minutes of inactivety, booting
    > out the user.
    >
    > Thanks in advance
    >
    > Doug
    Others have answered your various questions and talked about
    the limitations of TMOUT. We can offer an alternative that
    will help with the above problem...

    As was pointed out by Will, TMOUT will only log off idle
    sessions at a shell prompt, not in applications. We wrote/
    sell a product called LOGMON that monitors the cpu usage for
    each user, and their child processes. That way we can be
    sure the user is really idle. Other approaches look only
    at tty access time, which means that a user running a long
    job with no keyboard activity could be logged out. LOGMON
    solves this problem.

    You can vary the inactivity time by user, time of day, tty,
    etc. You can control how the user is logged off. For
    details, send a message to [email]logmoncomputron.com[/email] or visit
    [url]www.logmon.com[/url] Thanks!

    +-----------------------------------------------------------------+
    | Computronics Randy Styka, [email]randycomputron.com[/email] |
    | 4N165 Wood Dale Road Phone: 630/941-7767 |
    | Addison, Illinois 60101 USA Fax: 630/941-7714 |
    +-----------------------------------------------------------------+
    Randy Styka Guest

Similar Threads

  1. Replies: 5
    Last Post: December 30th, 11:30 PM
  2. Configuring security for a site in Windows 2003
    By Chris Leffer in forum ASP.NET Security
    Replies: 1
    Last Post: August 20th, 08:21 PM
  3. some account cannot run mozilla 1.6 on solaris
    By Lu in forum Linux / Unix Administration
    Replies: 1
    Last Post: February 27th, 09:24 PM
  4. Solaris 9 Security Administrator Certification
    By John Philcox in forum Linux / Unix Administration
    Replies: 22
    Last Post: September 28th, 05:34 AM
  5. Replies: 15
    Last Post: July 29th, 04:12 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139