Command history log for audit trail
I need to set up an audit trail for all commands run on machines. I know that the auth.log records who logs in and when, and that each user's .bash_history has a history of their commands. But is there some other way to create a log for all commands run on a system? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
password minimum days problem
Here's the issue. If PASS_MIN_DAYS is set to some value in /etc/login.defs, this defines the minimum number of days a user must keep the same password. This is intended to prevent password cycling. Password cycling is when a password history is used and the new password is required to be different than the N previous ones. If there's no PASS_MIN_DAYS set then the user can immediately cycle through N passwords to get their old one back. But the problem I'm having is this: when I set PASS_MIN_DAYS to some value, it seems that the user account must be deleted and recreated for the new setting to take affect. This is all good and fine, but when I initially create the new user, I give them some default password that they should have to change right away. However PASS_MIN_DAYS is preventing this from happening. So how to have PASS_MIN_DAYS set but to allow/require the new user to change his password on the first login? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Logauswertung (en translation)
My problem is what tool to use to evaluate the logs for attacks (e.g. portscans) and notify me by mail? I know you probably wouldn't want to hear the question, but I'll put it to you: What for? I would utilize the logs for the goal of archival. Particular blocked attacks or portscans occur so often... Its much better to monitor a counter in order to detect DOS attacks or configuration errors and if there's concern about intrusion set up a couple rules to trigger the alarm when its counter is activated (outgoing connections, connection search for domain controllers...) Mein Problem mit welchem Tool werte ich die Logs auf Angriffe aus (z. b. Portscans) und maile Sie mir zu. Ich weiss, die Frage wolltest du nicht hören, aber ich stelle sie doch mal: wozu? Ich wuerde die Logs zu Archivzwecken vorhalten. Einzelne geblockte Angriffe oder Portscans passieren so oft... Viel besser ist es counter zu monitoren um DOS Angriffe oder Fehlkonfiguration zu erkennen und wenn man Angst vor Intrusion hat intern ein paar Regeln aufzusetzen die Alarme ausloesen wenn deren Counter anspringen (ausgeende Verbindungen, Connection Versuche zu Domain Controllern...) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Logauswertung (translation)
Hello, I'm at a company and would like to set up a Debian router/firewall. Debian is minimally installed and I've chosed Shorewall as the firewall. I would additionally like to send the logs over Syslog-ng to a log server. My problem is what tool do I use to evaluate the logs for attacks and to for mail notifications? Hallo, möchte in einer Firma einen Debian-Router mit Firewall aufbauen. Debian wird minimal installiert und als Firewall habe ich Shorewall gewählt. Meine Logs möchte ich über Syslog-ng zusätzlich an einen Logserver schicken. Mein Problem mit welchem Tool werte ich die Logs auf Angriffe aus (z. b. Portscans) und maile Sie mir zu. Grüsse Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- .. Synthetic a-priori judgements should not be patentable .. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
pam.d common-passwd: obscure option includes similar but is vague
in /etc/pam.d/common-password there is: password required pam_unix.so nullok obscure min=4 max=8 md5 reading /usr/share/doc/libpam-doc/txt/pam.txt.gz to find the definition of obscure: Palindrome: Is the new password a palindrome of the old one? A palindrome is where the words read the same backwards and forwards (eg. madam and radar). Case Change Only: Is the new password the the old one with only a change of case? Similar: Is the new password too much like the old one? Simple: Is the new password too small? This is based on the length of the password and the number of different types of characters used (ie.alpha, numeric...). Rotated: Is the new password a rotated version of the old password (eg. billy and illyb)? Does anyone know what is the exact definition of similar? Exactly how many characters must not be similar between the old and new passwords to satisfy this requirement? Does anyone know the exact definition of simple? From manual testing it appears that the password cannot be a dictionary word, but beyond that it can consist of all lower-case letters only. This does not seem to agree with the definition in the doc. Also its not clear why the definition mentions length of password since that is provided by the min= paramenter. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
obscure in /etc/pam.d/common-password what does it mean exactly?
I've scoured through all Debian pam documentation, upstream PAM docs, and did extensive googling but cannot find the definition of obscure as it applies to common-password. Anyone have any info on this? I am assuming this is where the default system password policy is set: password required pam_unix.so nullok obscure min=4 max=8 md5 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: obscure in /etc/pam.d/common-password what does it mean exactly?
Hello, On Wed, Mar 22, 2006 at 03:33:39PM -0800, [EMAIL PROTECTED] wrote: I've scoured through all Debian pam documentation, upstream PAM docs, and did extensive googling but cannot find the definition of obscure as it applies to common-password. Anyone have any info on this? I am assuming this is where the default system password policy is set: password required pam_unix.so nullok obscure min=4 max=8 md5 You can find the documentation of the pam_unix module in the libpam-doc package (/usr/share/doc/libpam-doc/txt/pam.txt.gz): The obscure option enables some extra checks on the password. These is taken after the same obscure checks enabled in the original shadow package. This works very similar to the pam_cracklib module and implements these checks (it does not implement dictionary checks): * Palindrome * Case Change Only * ... According to that document This works very similar to the pam_cracklib module and implements these checks (it does not implement dictionary checks): ... Similar Is the new password too much like the old one? as a test of this, i created an account with the password foo33. logged in as the user, i was successfully able to change it to foo32. wouldn't this be considered similar? where is similar defined? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: obscure in /etc/pam.d/common-password what does it mean exactly?
On Wed, Mar 22, 2006 at 03:33:39PM -0800, [EMAIL PROTECTED] wrote: I've scoured through all Debian pam documentation, upstream PAM docs, and did extensive googling but cannot find the definition of obscure as it applies to common-password. Anyone have any info on this? I am assuming this is where the default system password policy is set: password required pam_unix.so nullok obscure min=4 max=8 md5 You can find the documentation of the pam_unix module in the libpam-doc package (/usr/share/doc/libpam-doc/txt/pam.txt.gz): The obscure option enables some extra checks on the password. These is taken after the same obscure checks enabled in the original shadow package. This works very similar to the pam_cracklib module and implements these checks (it does not implement dictionary checks): * Palindrome * Case Change Only * ... One further question: I've been making edits to /etc/pam.d/common-password to test various options and some of them don't seem to have an effect, for example i can change min= to some value and i see that the policy is effective immediately. but i've tried setting difok=3 which isn't having any effect. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]