Use this Knowledge Script to monitor the number of failed log-on and switch-user-to-root (su) attempts since the last interval. The result is always zero for the first interval so that the Knowledge Script can establish a baseline for subsequent checks. A higher than average number of failed logon or su attempts might indicate an attempt to break in to the server or that password guessing programs are being used to try to crack the security on the server.
If the number of failed logon or switch user attempts exceeds the threshold you set, AppManager raises an event.
To run this Knowledge Script as a non-root user on a CentOS computer:
Log in using the root account.
Run the command chmod +w /etc/uroot.cfg.
In the uroot configuration file, using for example, vi /etc/uroot.cfg, add /bin/grep to the end.
Save the uroot configuration file.
Run the command chmod -w /etc/uroot.cfg.
UNIX computer icon
The default interval for this script is Every 30 minutes.
Set the following parameters as needed:
|
Description |
How to Set It |
|---|---|
|
Event for failed login? (y/n) |
Set to y to raise an event if the number of failed user login attempts exceeds the threshold in the interval. On Solaris, a failed log-on attempt is only registered after five consecutive failures. The default is y. |
|
Event for failed su? (y/n) |
Set to y to raise an event if the number of failed su attempts exceeds the threshold in the interval. The default is y. |
|
Collect data? (y/n) |
Set to y to collect data for charts and reports. If set to y, the script returns the number of failed login attempts for the interval. The default is n. |
|
System log file (leave blank for default) |
Type the full path to the location of the log file that records failed attempts to use the login command. For more information about how to register logins and record failed attempts to a log file, see your operating system documentation. If you leave this parameter blank, the script checks for the log file in the following default locations:
NOTE:On IBM AIX computers, if you configured syslog to log failed login attempts in a file other than the default file, ensure the non-default log file is available by performing the following steps:
|
|
System su log file (leave blank for default. |
Type the full path to the location of the su log file that records failed attempts to use the su login command. For more information about how to register logins and record failed attempts to a log file, see your operating system documentation. |
|
Maximum number of failed login attempts |
Enter a threshold for the number of failed login attempts. The default is 1 failed attempt. HINT:If you find you are generating too many events from users entering passwords incorrectly, you can determine a typical log on failure pattern (for example 5 per 24 hours) using the Collect data option, then set this parameter based on the typical pattern. |
|
Maximum number of failed su attempts |
Enter a threshold for the number of failed su attempts. The default is 1 failed attempt. |
|
Event severity level for failed login |
Set the event severity level, from 1 to 40, to indicate the importance of the of a failed login. The default is 8. |
|
Event severity level for failed su |
Set the event severity level, from 1 to 40, to indicate the importance of a failed su event. The default is 8. |
|
Event severity for internal failure |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which this job experienced an internal error. The default is 5. |
|
Enable debugging? (y/n) |
Set to y to enable debugging. The default is n. |