Re: Intrusion attempts

From: Ken Fairfield (my.full.name_at_intel.com)
Date: 02/04/05

• Next message: DeanW: "Re: Intrusion attempts"
• Previous message: Peter Weaver: "Re: Intrusion attempts"
• In reply to: Syltrem: "Re: Intrusion attempts"
• Next in thread: JF Mezei: "Re: Intrusion attempts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Fri, 04 Feb 2005 10:42:58 -0800

Syltrem wrote:

> "Ken Fairfield" <my.full.name@intel.com> a écrit dans le message de
> news:ctu5pb$c4s$1@news01.intel.com...
>
>>As John Briggs pointed out, there are security issues if that
>>information were sent in a OPCOM message.
>>
>>On the other hand, the information you seek is available via
>>ACCOUNTING (which is where I find it), and mostly via ANALYZE/AUDIT
>>(which I haven't tried, so can't guarantee, but would expect it's
>>there).
>>
>
>
>
> After 4 failed login attempts with 3 different usernames, and one ^Z (no
> username entered):
>
> In accounting I do not see the usernames used, and only one record with this
> message:
> %LOGIN-F-NOSUCHUSER, no such user
> There is another entry with this message (triggered by the ^Z):
> %LOGIN-F-CMDINPUT, error reading command input
>
> OTOH, the audit does not show anything for some reason
> I have the auditing enabled for loginfailures:
> System security audits currently enabled for:
> Logfailure:
> batch,dialup,local,remote,network,subprocess,detached,server
> but $ anal/aud/ev=breakin sys$manager:SECURITY.AUDIT$JOURNAL/sin
> returns nothing.

     OK, you don't get the information on the non-existant
username supplied until the remote user gets classified as an
intruder and you've triggered breakin evasion. Once you have
crossed that threshold, $ ANAL/AUDIT/EVENT=BREAKIN will list
the username supplied even if it is a "no such user"...

     -Ken

-- 
I don't speak for Intel, Intel doesn't speak for me...
Ken Fairfield
D1C Automation VMS System Support
who:   kenneth dot h dot fairfield
where: intel dot com

---

• Next message: DeanW: "Re: Intrusion attempts"
• Previous message: Peter Weaver: "Re: Intrusion attempts"
• In reply to: Syltrem: "Re: Intrusion attempts"
• Next in thread: JF Mezei: "Re: Intrusion attempts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Intrusion attempts ... "Ken Fairfield" a écrit dans le message de ... System security audits currently enabled for: ... > I don't speak for Intel, ... kenneth dot h dot fairfield ... (comp.os.vms) Re: Encryption of printer files ... print jobs. ... One of my security conscious customers decided to lock their dot ... were printing out customer lists and selling them to competitors. ... Each dot would be re-positioned somewhere near the proper location. ... (comp.unix.sco.misc) Re: [SLE] YOU Problem on SuSE 10 ... available" it reports "failed to connect" and turns the little green dot ... And your sense of security is really no different than what you ... It turns the dot yellow these circumstances, ... (SuSE) Re: Any GIMP users (Linux) ... never had security in mind from its outset. ... Will Intel catch up to AMD this year? ... While Intel steered clear of mentioning the new DRM ... technology at its Australian launch of the new products, ... (rec.photo.digital) Re: Secret call log at heart of wiretap challenge ... Security Administration log of calls intercepted between the charity ... Certain sources and methods always get very high classification. ... Sometimes it is due to the risk of loss of the intel if the method ... rating because the compromise of the method can eliminate an intel ... (sci.military.naval)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)