LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 06-21-2010, 10:07 PM   #1
ono1331
LQ Newbie
 
Registered: May 2010
Posts: 9

Rep: Reputation: 0
Linux PAM:How can the PAM operation be logged??


Hi experts,
I am new to Linux PAM, after I set to use some modules, say, pam_access.so, I want to know if there is a way for the administrator to check if any invalid attempt was happened and blocked by that module?? Thanks in advance for any comment!!!
 
Old 06-22-2010, 03:53 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
PAM logs to Syslog, so any violations should be in what is configured in /etc/syslog.conf: /var/log/secure, /var/log/messages, et cetera. Also see 'man pam_access', the "noaudit" switch.
 
Old 06-23-2010, 03:05 AM   #3
ono1331
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
PAM logs to Syslog, so any violations should be in what is configured in /etc/syslog.conf: /var/log/secure, /var/log/messages, et cetera. Also see 'man pam_access', the "noaudit" switch.
Thank you for reply, I found the log for violation generated by pam_access, but cannot find that generated by pam_time.so(just an entry with 'Permission Denied',without the word pam_time), would you please give me some idea???



Thanks a lot!!!

Last edited by ono1331; 06-23-2010 at 04:18 AM.
 
Old 06-23-2010, 04:24 AM   #4
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 658

Rep: Reputation: 66
What is content of your /etc/security/time.conf file?
 
Old 06-23-2010, 12:07 PM   #5
ono1331
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by vishesh View Post
What is content of your /etc/security/time.conf file?
My setting:
@/etc/pam.d/remote
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
account required pam_nologin.so
account required pam_time.so
account include system-auth

@/etc/security/time.conf
*;*;testtime;!Al000-2400;

@/var/log/secure
Jun 22 01:46:21 localhost login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/3 ruser= rhost=192.168.0.3 user=testtime
Jun 22 01:46:23 localhost login: FAILED LOGIN 1 FROM 192.168.0.3 FOR testtime, Authentication failure
Jun 22 01:46:27 localhost login: Permission denied


Thanks so much for any help!!!
 
Old 06-27-2010, 08:11 AM   #6
ono1331
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
hey, anybody can help me???? thanks!!!
 
Old 06-28-2010, 06:08 AM   #7
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 658

Rep: Reputation: 66
post the content of system-auth, because you can including it.

Thanks
 
Old 06-28-2010, 11:06 AM   #8
ono1331
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
The system-auth, thanks for help!!!

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_autht
ok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
 
Old 06-28-2010, 01:06 PM   #9
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 658

Rep: Reputation: 66
Just for testing try it in run level 3, i mean for console login only.
where you mention about pam_access?
thanks
 
Old 06-29-2010, 09:53 AM   #10
ono1331
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Here is the test done @ console login:
account:testtime --> for testing pam_time
account:testaccess --> for testing pam_access
---------------------------------------

The /etc/pam.d/login:
[root@localhost pam.d]# more /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_access.so
account required pam_time.so
account required pam_nologin.so
account include system-auth
account required pam_warn.so
account required pam_time.so
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session optional pam_ck_connector.so
session required /lib/security/pam_limits.so
session required pam_limits.so
[root@localhost pam.d]#
---------------------------------------

The system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_autht
ok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
---------------------------------------

The /etc/security/time.conf:
*;*;testtime;!Al0000-2400
---------------------------------------

The /etc/security/access.conf:
- :testaccess : ALL
---------------------------------------

The /var/log/secure
[root@localhost pam.d]# more /var/log/secure

Jun 22 09:05:07 localhost login: pam_warn(login:account): function=[pam_sm_acct_mgmt] service=[login] terminal=[tty1] us
er=[testtime] ruser=[<unknown>] rhost=[<unknown>]
Jun 22 09:05:07 localhost login: Permission denied
Jun 22 09:05:12 localhost login: pam_access(login:account): access denied for user `testaccess' from `tty1'
Jun 22 09:05:12 localhost login: pam_warn(login:account): function=[pam_sm_acct_mgmt] service=[login] terminal=[tty1] us
er=[testaccess] ruser=[<unknown>] rhost=[<unknown>]
Jun 22 09:05:12 localhost login: Permission denied
[root@localhost pam.d]#
---------------------------------------

What I wonder is, under the secure log, I cannot find the keyword like 'pam_time' followed by 'Permission denied' but the 'pam_access' does. Thus, it's hard for me to realize
the user is blocked by 'pam_time' module in real situation. Is there any way to solve it??? Thanks. (The test is done with Fedora 7, while my production environment is RHEL 5)

Last edited by ono1331; 06-29-2010 at 09:55 AM.
 
Old 06-29-2010, 10:39 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Quote:
Originally Posted by vishesh View Post
Just for testing try it in run level 3, i mean for console login only.
What purpose would that serve, I wonder?..
 
Old 06-29-2010, 10:41 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Quote:
Originally Posted by ono1331 View Post
What I wonder is, under the secure log, I cannot find the keyword like 'pam_time' followed by 'Permission denied' but the 'pam_access' does. Thus, it's hard for me to realize the user is blocked by 'pam_time' module in real situation.
No it won't be. Your log shows user "testtime" (any exposed account names with "test" or "blah" being bad names anyway) is denied access by the first module in the PAM stack (see /etc/security/access.conf) so no subsequent modules are checked. BTW, you also have two "account required pam_time.so" lines in your /etc/pam.d/login.
 
Old 06-30-2010, 11:33 AM   #13
ono1331
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
No it won't be. Your log shows user "testtime" (any exposed account names with "test" or "blah" being bad names anyway) is denied access by the first module in the PAM stack (see /etc/security/access.conf) so no subsequent modules are checked. BTW, you also have two "account required pam_time.so" lines in your /etc/pam.d/login.
Sorry master, do you mean any account with the word 'test' will be blocked by the pam_access module?? but if I use another account, say 'john', I only can find 'permission denied' at the /var/log/secure file, nothing more. Why is my case?? or can you give me a sample setting to solve this?? thanks.
 
Old 06-30-2010, 12:51 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,285
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Quote:
Originally Posted by ono1331 View Post
Sorry master
I'm not a "master" of anything so please don't call me that.


Quote:
Originally Posted by ono1331 View Post
do you mean any account with the word 'test' will be blocked by the pam_access module??
No, I mean it should be common sense to not have any account name with the string "test" in it.


Quote:
Originally Posted by ono1331 View Post
but if I use another account, say 'john', I only can find 'permission denied' at the /var/log/secure file, nothing more. Why is my case??
Questions:
- In /etc/security/access.conf you have a line "- :testaccess : ALL". What does that line achieve?
- What is the (expanded) PAM module order of your /etc/pam.d/login?
- So which module is used first? pam_access.so or pam_time.so?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using PAM: Allowing access to 'poweroff' while logged out. Borax_Man Linux - Security 3 04-17-2009 02:30 AM
Help with PAM and PAM modules bourne Linux - Security 6 11-02-2008 11:48 PM
PAM module:passwd:- how many character validate by pam library amit_pansuria Linux - General 3 10-21-2008 01:19 AM
vsftpd + pam + virtual users - Pam cannot load database file. mdkelly069 Linux - Networking 3 09-22-2004 11:07 PM


All times are GMT -5. The time now is 06:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration