LinuxQuestions.org - Linux PAM:How can the PAM operation be logged??

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Linux PAM:How can the PAM operation be logged?? (https://www.linuxquestions.org/questions/linux-newbie-8/linux-pam-how-can-the-pam-operation-be-logged-815559/)

Linux PAM:How can the PAM operation be logged??

Hi experts,
I am new to Linux PAM, after I set to use some modules, say, pam_access.so, I want to know if there is a way for the administrator to check if any invalid attempt was happened and blocked by that module?? Thanks in advance for any comment!!!

PAM logs to Syslog, so any violations should be in what is configured in /etc/syslog.conf: /var/log/secure, /var/log/messages, et cetera. Also see 'man pam_access', the "noaudit" switch.

Quote:

Originally Posted by unSpawn (Post 4011116)

PAM logs to Syslog, so any violations should be in what is configured in /etc/syslog.conf: /var/log/secure, /var/log/messages, et cetera. Also see 'man pam_access', the "noaudit" switch.

Thank you for reply, I found the log for violation generated by pam_access, but cannot find that generated by pam_time.so(just an entry with 'Permission Denied',without the word pam_time), would you please give me some idea???

Thanks a lot!!!

What is content of your /etc/security/time.conf file?

Quote:

Originally Posted by vishesh (Post 4012397)

What is content of your /etc/security/time.conf file?

My setting:
@/etc/pam.d/remote
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
account required pam_nologin.so
account required pam_time.so
account include system-auth

@/etc/security/time.conf
*;*;testtime;!Al000-2400;

@/var/log/secure
Jun 22 01:46:21 localhost login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/3 ruser= rhost=192.168.0.3 user=testtime
Jun 22 01:46:23 localhost login: FAILED LOGIN 1 FROM 192.168.0.3 FOR testtime, Authentication failure
Jun 22 01:46:27 localhost login: Permission denied

Thanks so much for any help!!!

hey, anybody can help me???? thanks!!!

post the content of system-auth, because you can including it.

Thanks

The system-auth, thanks for help!!!

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_autht
ok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so

Just for testing try it in run level 3, i mean for console login only.
where you mention about pam_access?
thanks

Here is the test done @ console login:
account:testtime --> for testing pam_time
account:testaccess --> for testing pam_access
---------------------------------------

The /etc/pam.d/login:
[root@localhost pam.d]# more /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_access.so
account required pam_time.so
account required pam_nologin.so
account include system-auth
account required pam_warn.so
account required pam_time.so
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session optional pam_ck_connector.so
session required /lib/security/pam_limits.so
session required pam_limits.so
[root@localhost pam.d]#
---------------------------------------

The system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_autht
ok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
---------------------------------------

The /etc/security/time.conf:
*;*;testtime;!Al0000-2400
---------------------------------------

The /etc/security/access.conf:
- :testaccess : ALL
---------------------------------------

The /var/log/secure
[root@localhost pam.d]# more /var/log/secure

Jun 22 09:05:07 localhost login: pam_warn(login:account): function=[pam_sm_acct_mgmt] service=[login] terminal=[tty1] us
er=[testtime] ruser=[<unknown>] rhost=[<unknown>]
Jun 22 09:05:07 localhost login: Permission denied
Jun 22 09:05:12 localhost login: pam_access(login:account): access denied for user `testaccess' from `tty1'
Jun 22 09:05:12 localhost login: pam_warn(login:account): function=[pam_sm_acct_mgmt] service=[login] terminal=[tty1] us
er=[testaccess] ruser=[<unknown>] rhost=[<unknown>]
Jun 22 09:05:12 localhost login: Permission denied
[root@localhost pam.d]#
---------------------------------------

What I wonder is, under the secure log, I cannot find the keyword like 'pam_time' followed by 'Permission denied' but the 'pam_access' does. Thus, it's hard for me to realize
the user is blocked by 'pam_time' module in real situation. Is there any way to solve it??? Thanks. (The test is done with Fedora 7, while my production environment is RHEL 5)

Quote:

Originally Posted by vishesh (Post 4017393)

Just for testing try it in run level 3, i mean for console login only.

What purpose would that serve, I wonder?..

Quote:

Originally Posted by ono1331 (Post 4018299)

What I wonder is, under the secure log, I cannot find the keyword like 'pam_time' followed by 'Permission denied' but the 'pam_access' does. Thus, it's hard for me to realize the user is blocked by 'pam_time' module in real situation.

No it won't be. Your log shows user "testtime" (any exposed account names with "test" or "blah" being bad names anyway) is denied access by the first module in the PAM stack (see /etc/security/access.conf) so no subsequent modules are checked. BTW, you also have two "account required pam_time.so" lines in your /etc/pam.d/login.

Quote:

Originally Posted by unSpawn (Post 4018346)

Sorry master, do you mean any account with the word 'test' will be blocked by the pam_access module?? but if I use another account, say 'john', I only can find 'permission denied' at the /var/log/secure file, nothing more. Why is my case?? or can you give me a sample setting to solve this?? thanks.

Quote:

Originally Posted by ono1331 (Post 4019555)

Sorry master

I'm not a "master" of anything so please don't call me that.

Quote:

Originally Posted by ono1331 (Post 4019555)

do you mean any account with the word 'test' will be blocked by the pam_access module??

No, I mean it should be common sense to not have any account name with the string "test" in it.

Quote:

Originally Posted by ono1331 (Post 4019555)

but if I use another account, say 'john', I only can find 'permission denied' at the /var/log/secure file, nothing more. Why is my case??

Questions:
- In /etc/security/access.conf you have a line "- :testaccess : ALL". What does that line achieve?
- What is the (expanded) PAM module order of your /etc/pam.d/login?
- So which module is used first? pam_access.so or pam_time.so?