pam_tally2 and auditd - failed logins do not make it to audit.log
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
pam_tally2 and auditd - failed logins do not make it to audit.log
Hi All,
I am using pam_tally2 - After failed login attempts, the following command pam_tally2 -u test
shows output
Login Failures Latest failure From
test 5 11/13/12 20:45:37 192.168.1.10
In my audit.rules file, I have
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
I was expecting to see information on failed logins with command
$aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
<no events of interest were found>
As the output shows, there is no information about failed login attempts in audit.log.
Command $aureport --failed
Shows Failed Summary Report
======================
Range of time in logs: 11/12/12 20:30:39.247 - 11/14/12 16:22:29.744
Selected time for report: 11/12/12 20:30:39 - 11/14/12 16:22:29.744
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 1
Number of terminals: 4
...
The fact that I am seeing correct information from pam_tally2 command seems to indicate that pam is setup correctly. I am missing something in audit.rules files?
No, but there is a difference between adding a watch to a file for write ops and failed logins as the audit service sees them. The latter are tagged with specific message types (see 'ausearch -m') like for example USER_AUTH. If you didn't explicitly add msgtype exclude rules in /etc/audit/audit.rules or via auditctl then egrep /var/log/audit/audit.log for any "USER*|*LOGIN*" message types or tail /var/log/messages, /var/log/secure and /var/log/audit/audit.log and force a bad login and see what it returns.
It is somewhat custom incarnation of ubuntu distribution. We had to get some newer kernel stuff into our stable kernel version in order to enable the AUDIT flag for arm processor.
$uname -a
Linux ncv2_G1158 3.6.3-nc2-r6+ #42 PREEMPT Mon Nov 5 11:12:14 PST 2012 armv5tel GNU/Linux
We had to get some newer kernel stuff into our stable kernel version in order to enable the AUDIT flag for arm processor.
Your kernel and SW versions are newer than what I use so that shouldn't be the problem. But audisp and audit rely on messages the kernel shoves their way. They can't respond to what isn't sent. The validity of your kernel patches would be the first thing to check IMHO.
"Getting newer kernel stuff into our stable kernel" implies you've used an Ubuntu kernel and patched it. Posting the Ubuntu kernel source version (or is it just plain "3.6.3"?) and any kernel-related comments and attaching any patches and your kernel config may benefit others looking into this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.