This policy alerts the security administrator that someone has successfully logged on to a protected system. This policy watches ftp, telnet, rlogin and local logins and alerts whether it is a normal user or root logging in. It will also detect a successful su to a user or to root.

Download ITA UNIX Login Policy

Affected Platforms

Solaris
HP-UX
AIX
Linux

Note: This policy may function on other UNIX platforms, but is unsupported.

Description

Security administrators use this policy to track successful logins into the network; thereby watching for the misuse of accounts via remote access, local access, or su'ing to another account.

Policy rules include:

• FTP on HP 11
  Detects an FTP login (except root) on HP-UX 11
• FTP on Other Linux
  Detects an FTP login (except root) on Slackware 7.1
• FTP on Sol, HP 10, AIX, Linux
  Detects an FTP login (except root) on Solaris, HP-UX 10.2, and AIX 4.3.2, 4.3.1, and Linux RedHat 6.2, 7.0
• Local Login Flag
  Detects local logins and raises a flag.
• Local on Other Linux
  Detects a local/console login (except root) on Mandrake
• Local on Sol, HP, Linux
  Detects a local/console login (except root) on Solaris, HP-UX, and Linux
• Remote Login Flag
  Detects a remote request to xinetd and raises a flag
• Rlogin Flag
  Detects calls to rlogin daemon and raises a flag
• Rlogin on Sol, HP, AIX, Linux
  Detects a remote login by Xwin (Solaris, HP-UX), Telnet (HP-UX, AIX, Linux), and Rlogin (HP-UX, AIX, Linux)
• Rlogin on Solaris
  Detects an rlogin (except root) on Solaris
• Root FTP on HP 11
  Detects a root FTP login on HP-UX 11
• Root FTP on Other Linux
  Detects a root FTP login on RedHat 7.1
• Root FTP on Sol,HP 10, AIX, LNX
  Detects a root FTP login on Solaris, HP-UX 10.2, AIX 4.3.2, 4.3.1, and Linux RedHat 6.2, 7.0
• Root Local on Other Linux
  Detects a root local/console login on RedHat, Mandrake, and Slackware Linux
• Root Local on Sol, HP, Linux
  Detects a root local/console login on Solaris, HP-UX, and Linux
• Root Rlogin on Sol,HP, AIX, LNX
  Detects a root remote login by Rlogin
• Root Rlogin on Solaris
  Detects a root rlogin on Solaris
• Root Telnet on Sol,HP, AIX, LNX
  Detects a root remote login by Telnet
• Root Telnet on Solaris
  Detects a root Telnet login on Solaris
• SU to Another on AIX
  Detects SU to another user (except root) on AIX
• SU to Another on HP
  Detects SU to another user (except root) on HP-UX
• SU to Another on Linux
  Detects SU to another user (except root) on Red Hat 6.2, 7.0, 7.1, 7.2, Mandrake 8.0, 8.1, and 8.2, and Slackware 7.1 and 8.0
• SU to Another on Solaris
  Detects SU to another user (except root) on Solaris
• SU to Root on AIX
  Detects SU to root on AIX
• SU to Root on HP
  Detects SU to root on HP-UX
• SU to Root on Linux
  Detects SU to root on Linux Red Hat 6.2 and 7.0 servers
• SU to Root on Other Linux
  Detects SU to root on Linux Red Hat 7.1 and up, Mandrake 8.0 and up, and Slackware 7.1 and 8.0
• SU to Root on Solaris
  Detects SU to root on Solaris
• SU to Root/User on Other OSs
  Detects SU to user/root on operating systems that have the same generic signature, and are not covered by other rules in this policy
• Telnet Flag
  Detects calls to the telnet daemon and raises a flag
• Telnet on Sol, HP, AIX, Linux
  Detects a remote login by Telnet
• Telnet on Solaris
  Detects a Telnet login (except root) on Solaris
• Xinetd Flag
  Detects calls to start xinetd services