Linux PAM:How can the PAM operation be logged??
Hi experts,
I am new to Linux PAM, after I set to use some modules, say, pam_access.so, I want to know if there is a way for the administrator to check if any invalid attempt was happened and blocked by that module?? Thanks in advance for any comment!!! |
PAM logs to Syslog, so any violations should be in what is configured in /etc/syslog.conf: /var/log/secure, /var/log/messages, et cetera. Also see 'man pam_access', the "noaudit" switch.
|
Quote:
Thanks a lot!!! |
What is content of your /etc/security/time.conf file?
|
Quote:
@/etc/pam.d/remote #%PAM-1.0 auth required pam_securetty.so auth include system-auth account required pam_nologin.so account required pam_time.so account include system-auth @/etc/security/time.conf *;*;testtime;!Al000-2400; @/var/log/secure Jun 22 01:46:21 localhost login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/3 ruser= rhost=192.168.0.3 user=testtime Jun 22 01:46:23 localhost login: FAILED LOGIN 1 FROM 192.168.0.3 FOR testtime, Authentication failure Jun 22 01:46:27 localhost login: Permission denied Thanks so much for any help!!! |
hey, anybody can help me???? thanks!!!
|
post the content of system-auth, because you can including it.
Thanks |
The system-auth, thanks for help!!!
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_autht ok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so |
Just for testing try it in run level 3, i mean for console login only.
where you mention about pam_access? thanks |
Here is the test done @ console login:
account:testtime --> for testing pam_time account:testaccess --> for testing pam_access --------------------------------------- The /etc/pam.d/login: [root@localhost pam.d]# more /etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_access.so account required pam_time.so account required pam_nologin.so account include system-auth account required pam_warn.so account required pam_time.so password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke session optional pam_ck_connector.so session required /lib/security/pam_limits.so session required pam_limits.so [root@localhost pam.d]# --------------------------------------- The system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_autht ok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so --------------------------------------- The /etc/security/time.conf: *;*;testtime;!Al0000-2400 --------------------------------------- The /etc/security/access.conf: - :testaccess : ALL --------------------------------------- The /var/log/secure [root@localhost pam.d]# more /var/log/secure Jun 22 09:05:07 localhost login: pam_warn(login:account): function=[pam_sm_acct_mgmt] service=[login] terminal=[tty1] us er=[testtime] ruser=[<unknown>] rhost=[<unknown>] Jun 22 09:05:07 localhost login: Permission denied Jun 22 09:05:12 localhost login: pam_access(login:account): access denied for user `testaccess' from `tty1' Jun 22 09:05:12 localhost login: pam_warn(login:account): function=[pam_sm_acct_mgmt] service=[login] terminal=[tty1] us er=[testaccess] ruser=[<unknown>] rhost=[<unknown>] Jun 22 09:05:12 localhost login: Permission denied [root@localhost pam.d]# --------------------------------------- What I wonder is, under the secure log, I cannot find the keyword like 'pam_time' followed by 'Permission denied' but the 'pam_access' does. Thus, it's hard for me to realize the user is blocked by 'pam_time' module in real situation. Is there any way to solve it??? Thanks. (The test is done with Fedora 7, while my production environment is RHEL 5) |
Quote:
|
Quote:
|
Quote:
|
Quote:
Quote:
Quote:
- In /etc/security/access.conf you have a line "- :testaccess : ALL". What does that line achieve? - What is the (expanded) PAM module order of your /etc/pam.d/login? - So which module is used first? pam_access.so or pam_time.so? |
All times are GMT -5. The time now is 02:42 AM. |