Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!purdue!spaf From: spaf@cs.purdue.edu (Gene Spafford) Newsgroups: news.sysadmin Subject: Re: Security checkup Message-ID: <5029@medusa.cs.purdue.edu> Date: 5 Oct 88 15:50:07 GMT References: <167@carpet.WLK.COM> <5014@medusa.cs.purdue.edu> <2968@mipos3.intel.com> Sender: news@cs.purdue.EDU Reply-To: spaf@cs.purdue.edu (Gene Spafford) Distribution: na Organization: Department of Computer Science, Purdue University Lines: 31 In article <2968@mipos3.intel.com> merlyn@intelob.intel.com (Randal L. Schwartz @ Stonehenge) writes: >Arrgggh. No. If you have a feature that "logs bad login attempts to >the console" TURN IT OFF. This is a *bad* *idea* (as Dave Barry would >put it). This has been discussed in security circles, and even on >this net, if I remember correctly. The way it is often IMPLEMENTED it is a bad idea. The IDEA of auditing is standard security practice and the capability is a required part of getting a multi-level secure rating on an OS (B2 and above? I forget). If you don't know when someone is trying to break in, you can't take action against them -- maintaining an audit and reviewing it frequently is the only way to do this. For this kind of audit feature to not be misused, you must sure that no one other than a trusted individual (i.e., sysadmin) has any access to the console log. Of course, that is a good idea anyhow, since most system consoles allow the user to halt the machine and come back up single user. The only problem with logging bad attempts to the console is when someone mixes up and types their password for the account name. That happens infrequently, and if trusted personnel are the only ones to see the record, it isn't a problem -- especially if the notify the account holder that the password has been compromised. I stand by my recommendation. -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf