terminal

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

terminal

Peter Czanik
Hello,

I was about to send a question about fqdn, as it could be replaced by an
IPv4 or IPv6 address in logs. But right before sending my e-mail to the
list I found in the xml what I was planing to propose: ValueType
systemname, which was introduced just for this purpose.

My next target is the terminal. Our first target while writing rules for
our patterndb engine are login/logout and other authentication events.
Login/logout or su/sudo events often happen on a virtual terminal /
serial console. So I'd propose a SourceTerminal field:

<Field>
<Name>SourceTerminal</Name>
<ValueType>string</ValueType>
<ShortName>src_term</ShortName>
<FieldSet>SourceFieldSet</FieldSet>
</Field>

Example log line:

Oct 7 09:29:45 ubuntu login[4542]: FAILED LOGIN (1) on '/dev/tty1' FOR
'czanik', Authentication failure

Bye,

--
Peter Czanik (CzP) <[hidden email]>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
Reply | Threaded
Open this post in threaded view
|

Re: terminal

Eric Fitzgerald-2
Hi Peter,

Common Compliance (and before that, C2) require "terminal" (or "station" in some cases) to be logged.  Specifically, the user authentication requirements extensively discuss terminals, particularly in the sense of how to handle failed authentications (FIA_UAU.1-7), and the audit requirements specifically state that all audit events must incorporate, at a minimum, all security functions and components related to the audited activity (FAU_GEN_1.2b).

References come from CC 2.3 part 2 at CommonCriteriaPortal.org.

The board has already started gathering up requirements for a security audit profile for operating systems and I'm certain that this requirement will make it in.

Just as a note, I'd also add that "terminal" is bigger than "(work)station".  For example, terminal would encompass things like session IDs on multi-session systems like terminal servers.
 
Thanks!
Eric

-----Original Message-----
From: Peter Czanik [mailto:[hidden email]]
Sent: Friday, November 19, 2010 12:32 AM
To: [hidden email]
Subject: [CEE-DISCUSSION-LIST] terminal

Hello,

I was about to send a question about fqdn, as it could be replaced by an
IPv4 or IPv6 address in logs. But right before sending my e-mail to the list I found in the xml what I was planing to propose: ValueType systemname, which was introduced just for this purpose.

My next target is the terminal. Our first target while writing rules for our patterndb engine are login/logout and other authentication events.
Login/logout or su/sudo events often happen on a virtual terminal / serial console. So I'd propose a SourceTerminal field:

<Field>
<Name>SourceTerminal</Name>
<ValueType>string</ValueType>
<ShortName>src_term</ShortName>
<FieldSet>SourceFieldSet</FieldSet>
</Field>

Example log line:

Oct 7 09:29:45 ubuntu login[4542]: FAILED LOGIN (1) on '/dev/tty1' FOR 'czanik', Authentication failure

Bye,

--
Peter Czanik (CzP) <[hidden email]>
BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/