pam_tally2 and auditd - failed logins do not make it to audit.log

aj33 · 11-14-2012, 10:25 AM

Hi All,

I am using pam_tally2 - After failed login attempts, the following command
pam_tally2 -u test
shows output

Login Failures Latest failure From
test 5 11/13/12 20:45:37 192.168.1.10

In my audit.rules file, I have

-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

I was expecting to see information on failed logins with command

$aureport -au

Authentication Report
============================================
# date time acct host term exe success event
============================================
<no events of interest were found>

As the output shows, there is no information about failed login attempts in audit.log.

Command
$aureport --failed

Shows
Failed Summary Report
======================
Range of time in logs: 11/12/12 20:30:39.247 - 11/14/12 16:22:29.744
Selected time for report: 11/12/12 20:30:39 - 11/14/12 16:22:29.744
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 1
Number of terminals: 4
...

The fact that I am seeing correct information from pam_tally2 command seems to indicate that pam is setup correctly. I am missing something in audit.rules files?

Thanks in advance!!

AJ

unSpawn · 11-14-2012, 12:24 PM

Quote:

Originally Posted by aj33

I am missing something in audit.rules files?

No, but there is a difference between adding a watch to a file for write ops and failed logins as the audit service sees them. The latter are tagged with specific message types (see 'ausearch -m') like for example USER_AUTH. If you didn't explicitly add msgtype exclude rules in /etc/audit/audit.rules or via auditctl then egrep /var/log/audit/audit.log for any "USER*|*LOGIN*" message types or tail /var/log/messages, /var/log/secure and /var/log/audit/audit.log and force a bad login and see what it returns.

aj33 · 11-14-2012, 01:31 PM

Thanks for your reply.

If I ssh into the machine and enter wrong password. I see this message in /var/log/messages

Nov 14 19:12:19 ncv2_G1158 sshd[3426]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=a.b.com user=test
Nov 14 19:12:22 ncv2_G1158 sshd[3421]: error: PAM: Authentication failure for test from a.b.com

I don't have /var/log/secure at all.

egrep as you suggested shows nothing in the /var/log/audit/audit.log file.

I didn't exclude and msgtype for exclusion.

If I
su - test
from another login and type incorrect password, then even the /var/log/messages has nothing.

I still see correct information for the ssh failures when I run
pam_tally2 command

Thanks again for your help.

unSpawn · 11-14-2012, 01:54 PM

OK. Better list this machines distribution and (r)syslog(-ng) and audit software version first.

aj33 · 11-14-2012, 02:16 PM

It is somewhat custom incarnation of ubuntu distribution. We had to get some newer kernel stuff into our stable kernel version in order to enable the AUDIT flag for arm processor.

$uname -a
Linux ncv2_G1158 3.6.3-nc2-r6+ #42 PREEMPT Mon Nov 5 11:12:14 PST 2012 armv5tel GNU/Linux

audit - 2.2.1-r4 - audit version 2.2.1-r4

syslog-ng - 2.1.1-r0 - syslog-ng version 2.1.1-r0

Much appreciate your help!!

unSpawn · 11-15-2012, 08:10 AM

Quote:

Originally Posted by aj33

We had to get some newer kernel stuff into our stable kernel version in order to enable the AUDIT flag for arm processor.

Your kernel and SW versions are newer than what I use so that shouldn't be the problem. But audisp and audit rely on messages the kernel shoves their way. They can't respond to what isn't sent. The validity of your kernel patches would be the first thing to check IMHO.

aj33 · 11-15-2012, 01:18 PM

Okay Thanks.

Although, the only things that was picked up from the kernel was to enable ARM flag.

I will check that. In the meantime, if there is anything else somebody can think of for me to check, please let me know.

Many thanks.

AJ

unSpawn · 11-15-2012, 01:42 PM

"Getting newer kernel stuff into our stable kernel" implies you've used an Ubuntu kernel and patched it. Posting the Ubuntu kernel source version (or is it just plain "3.6.3"?) and any kernel-related comments and attaching any patches and your kernel config may benefit others looking into this.