User's Manual
Solaris 9 Security CX-310-301 23
¾ By operating lax permissions and revealing passwords
Detection and Device Management
This section looks at logging important system messages so that incidents can be recorded, including the
use of the process accounting facility that comes with the standard Solaris 9 installation. Also, the Solaris
Basic Security Module (BSM) is described here showing how to configure BSM and conduct an audit, as
well as interpreting the results. The final part in this section looks at protecting access to devices.
Monitoring Login Attempts
Loginlog
By default, unsuccessful login attempts are only recorded after 5 attempts have been made. This is far too
many because the system administrator should be alerted to the fact that incorrect passwords are being
entered so that it can be carefully monitored. To log all unsuccessful login attempts, you need to first create
the file where these messages will be logged, namely /var/adm/loginlog, set the permissions to 700 and
then modify two lines in the file /etc/default/login.
# touch /var/adm/loginlog
# chmod 700 /var/adm/loginlog
This second command modifies the permissions so that only user root can access the file. Messages are
logged to this file via syslog, described later in this section, in the AUTH.NOTICE category.
Change the lines:
SYSLOG_FAILED_LOGINS=5
RETRIES=5
To
SYSLOG_FAILED_LOGINS=0
RETRIES=1
Notice that by default the two lines are commented out. Remember to uncomment them as well. Also note
that if you set the RETRIES variable to 0, then you might not be able to login at all, except at the console.