harald@apple.ucsb.edu (Ommang) (12/07/89)
I'm working on a paper comparing security in UNIX and HP's MPE op.sys.
There is one little detail that I haven't found out about yet :
If you enter a nonexisting login id or an incorrect password, is this
logged somewhere in a file / to a system console ? (I sure hope so, but I've
yet been unable to verify this). I know that successful logins are logged,
but failed attempts should also be recorded. If this exists, is it in
"standard" UNIX (whatever that is these days... BSD, AT&T, SunOs, HP-UX, AIX,
XENIX...), or is it vendor dependent. Also, Gary Grossman in "How Secure is
Secure", UNIX Review Aug '86, concludes that UNIX does not quite make it to
a C2 NCSC rating. Any comments ?
Other comments appreciated.
Thank you,
Harald Ommang
==================================================================
"Born in the ice-blue waters of the festooned Norwegian coast.."
- Bertrand Meyer on object-oriented programming
Well, so was Harald Ommang. harald%cornu@hub.ucsb.edugwyn@smoke.BRL.MIL (Doug Gwyn) (12/08/89)
In article <3259@hub.UUCP> harald@apple.ucsb.edu (Ommang) writes: >If you enter a nonexisting login id or an incorrect password, is this >logged somewhere in a file / to a system console ? (I sure hope so, .. You seem to think that this would be a security advantage, but it can act quite to the contrary when people's passwords are printed out (with small, usually readily identifiable, typos). In fact, many systems DO log "Bad Login Attempts", but they should do this only into a secure file, not to the console. >Also, Gary Grossman in "How Secure is Secure", UNIX Review Aug '86, >concludes that UNIX does not quite make it to a C2 NCSC rating. Gould UTX-32S was rated C1. UNIX System V/MLS is rated B2, I believe. I think there are other NTSC-rated flavors of UNIX.
crissl@rulcvx.uucp (Stefan Linnemann) (12/08/89)
In article <3259@hub.UUCP> harald@apple.ucsb.edu (Ommang) writes: > >I'm working on a paper comparing security in UNIX and HP's MPE op.sys. >There is one little detail that I haven't found out about yet : >If you enter a nonexisting login id or an incorrect password, is this >logged somewhere in a file / to a system console ? On our system, a Convex C210, failed logins are logged in /usr/adm/badlogins. Though Convex uses a BSD derived Unix, they have modified it, so I can't tell whether this is a common place or just Convex's. Hope this helps, Stefan. -- Stefan M. Linnemann UUCP: crissl@rulcvx.uucp System programmer UNIX and MVS mcvax!rulcvx!crissl CRI, Leiden University Bitnet: CRISSL@HLERUL5 (VMS) PO-box 9512 Bitnet: CRISSL@HLERUL2 (MVS/XA) 2300 RA Leiden Phone: +31 71 276936 (or 276921) The Netherlands Telefax: +31 71 276967
al@escom.com (Al Donaldson) (12/09/89)
In article <3259@hub.UUCP>, harald@apple.ucsb.edu (Ommang) writes: > Also, Gary Grossman in "How Secure is Secure", UNIX Review Aug '86, > concludes that UNIX does not quite make it to a C2 NCSC rating. As I understood, the primary deficiency with standard UNIX at C2 was documentation: design documentation, user documentation, etc. To my knowledge, there were no overriding problems in the area of identification and authentication. The National Computer Security Center (the folks who evaluate trusted computer systems) have a Password Management Guideline (CSC-STD-002-85), but these are guidelines and recommendations rather than requirements. One of the recommendations is that the system record invalid login attempts and notify the user (after successful login) of (a) the time of last login and (b) number of unsuccessful attempts since then. Various computer security vendors are building this sort of capability into their UNIX security packages. I'm not sure what ATT did in their System V/MLS with respect to recording unsuccessful logins (I'm too lazy to check their brochures..) but it just recently received a B1 rating from the NCSC. Gould received a C2 rating for their UTX-32S some years ago, and two companies (Addamax and SecureWare) have security kits for various flavors of UNIX. I think there was something posted to the net (maybe comp.sources.unix?) several years ago. Our system admin installed this package but didn't initialize the table that held the number of bad logins for each user.. So next Monday when people logged in, they got messages of the form Last login Friday 28 October 1985 at 8:23 AM; 37,538,282 unsuccessful login attempts since then. Needless to say, this caused some consternation. :-) A similar capability is shown on pages 38 and 39 of "UNIX System Security" by Kochan and Wood (Hayden press 6267-2). Al
fuat@cunixf.cc.columbia.edu (Fuat C. Baran) (12/09/89)
In article <300@rulcvx.uucp> crissl@rulcvx.UUCP (Stefan Linnemann) writes: >On our system, a Convex C210, failed logins are logged in >/usr/adm/badlogins. Though Convex uses a BSD derived Unix, they have >modified it, so I can't tell whether this is a common place or just >Convex's. On BSD 4.3 based systems (I believe), such as SunOS 4.x and UMAX 4.3, failed logins, root logins, records of successful and failed su's are logged using syslog(3). Logging is done to the "auth" facility (LOG_AUTH) and where the output goes can be configured via the /etc/syslog.conf file. We keep ours in /var/log/sulog (or /var/adm/sulog). --Fuat Internet: fuat@columbia.edu U.S. MAIL: Columbia University BITNET: fuat@cunixc Center for Computing Activities UUCP: ...!rutgers!columbia!cunixc!fuat 712 Watson Labs, 612 W115th St. Phone: (212) 854-5128 New York, NY 10025
guy@auspex.UUCP (Guy Harris) (12/16/89)
>On BSD 4.3 based systems (I believe), such as SunOS 4.x and UMAX 4.3, >failed logins, root logins, records of successful and failed su's are >logged using syslog(3). More precisely, the 4.3BSD "login" logs, through "syslog": EVENT SEVERITY failed attempts to log in as "root" on a terminal not marked "secure" "crit" *repeated* login failures on the same "session" with "login", regardless of account, where "repeated" means "5 or more in a row" (after which, it hangs the phone up) "crit" in 4.3BSD "err" in 4.3-tahoe successful logins on "dialup" lines (i.e., ones where the tty's file name ends with "d" and one character after the "d") "info" successful root logins "notice" and the 4.3BSD "su" logs: EVENT SEVERITY failed "su"s to "root" "crit" successful "su"s to "root" "notice" Successful "su"s to accounts other than "root", and individual failed logins to any account, aren't logged at all. (Presumably the intent for the latter is to keep it from logging a message every time you transpose two characters in your password or something like that.) "Failed" logins are those where the account was valid, but either 1) the password wasn't the right one or 2) the account was "root", the password was valid, but the terminal wasn't marked "secure". Vendors may change these.