Use and Abuse by Outsiders

Use and Abuse by Outsiders

Intrusion by outsiders is among the most feared of abuses. Fortunately, this kind of abuse produces distinctive audit record patterns and is easily detected. Below, are descriptions of several different subcategories of outsider abuse that can be detected by the audit system. Note though, that these kinds of patterns can also be generated by an authorized user who makes a mistake or is misinformed. Patterns of this type are described below.

Attempts at Unauthorized Entry

All attempts at unauthorized entry generate audit records of the sat_ae_identity event type. (Use sat_select, sat_reduce, and sat_interpret to collect and view these records.) The interpreted output of these events contains a text string that describes the attempt at entry. Intruders from outside your organization have a much higher instance of failed login attempts than your authorized users.

Three interesting text strings reveal attempts at unauthorized entry:

unsuccessful login attempt
that user gave an invalid label
could not set the label connection for device

Here is an example of an interpreted audit record of an unsuccessful login attempt:

Event type = sat_ae_identity 
Outcome = Failure 
Sequence number = 1 
Time of event = Mon Mar 11 12:45:40.34 PST 1991 
System call = syssgi,SGI_SATWRITE 
Error status = 0 (No error) 
SAT ID = anamaria 
Identity event = LOGIN|-|/dev/ttyq4|guest|Unsuccessful login attempt.

System Usage at Unusual Hours or From Unusual Locations

Usage of your system outside of normal working hours or, if your system maintains physical security of terminals, from unusual locations, is a matter of interest. In most cases, the usage of the system is legitimate, but each instance certainly bears notation and examination. Many potential violations of security from outside your user community happen during nonpeak hours, and rarely from within your physical site. To observe activity at odd hours, enter the following commands in order:

sat_reduce -a start_time satfile > /usr/tmp/early+late
sat_reduce -A end_time satfile >> /usr/tmp/early+late
sat_reduce -U root -U sys -U daemon -U adm -U lp /usr/tmp/early+late > /usr/tmp/e+l_ordusers
sat_interpret /usr/tmp/e+l_ordusers | more

If your site assigns a terminal to each user and maintains reasonable physical security for each terminal, you can monitor logins from unusual locations. For example, if a user normally working in a group computer lab makes a login attempt from a private office, this event may be cause for interest. To get a list of login events, enter the following command:

sat_reduce -e sat_ae_identity sat_file | sat_interpret | grep LOGIN

Bear in mind that it does not necessarily represent a violation of security if a user is working at an unusual terminal or even if a user is logged on at two or more terminals at once. For instance, the user may be correcting a mistake and may have logged in elsewhere explicitly for the purpose of terminating unwanted processes. You should be looking for instances where the user is not genuinely logged in twice, but where one instance of the login is an intruder.

Connections with Machines Outside the Local Network

Whenever a user connects to a machine outside your trusted local network, an audit record should be generated. A connection to a host outside of the local network is worthy of notice but not necessarily a violation of security. You should be on the lookout for trojan horse programs that cause your system to make the outward connection at a later time. You can identify outward network connections with the following command sequence:

sat_reduce -e sat_bsdipc_addr satfile > /usr/tmp/connect
sat_interpret /usr/tmp/connect > /usr/tmp/connect.int
grep -n "Remote host" /usr/tmp/connect.int

The above command sequence is dependent on the specific implementation of your networking software. You may need to modify your command line to reflect your networking situation. For example, if the software you are using does not generate the sat_bsdipc_addr auditing event type, you should search for another event type that is generated.