LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-14-2012, 10:25 AM   #1
aj33
LQ Newbie
 
Registered: Nov 2012
Posts: 4

Rep: Reputation: Disabled
pam_tally2 and auditd - failed logins do not make it to audit.log


Hi All,

I am using pam_tally2 - After failed login attempts, the following command
pam_tally2 -u test
shows output

Login Failures Latest failure From
test 5 11/13/12 20:45:37 192.168.1.10


In my audit.rules file, I have

-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins


I was expecting to see information on failed logins with command

$aureport -au

Authentication Report
============================================
# date time acct host term exe success event
============================================
<no events of interest were found>



As the output shows, there is no information about failed login attempts in audit.log.

Command
$aureport --failed

Shows
Failed Summary Report
======================
Range of time in logs: 11/12/12 20:30:39.247 - 11/14/12 16:22:29.744
Selected time for report: 11/12/12 20:30:39 - 11/14/12 16:22:29.744
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 1
Number of terminals: 4
...


The fact that I am seeing correct information from pam_tally2 command seems to indicate that pam is setup correctly. I am missing something in audit.rules files?

Thanks in advance!!

AJ
 
Old 11-14-2012, 12:24 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by aj33 View Post
I am missing something in audit.rules files?
No, but there is a difference between adding a watch to a file for write ops and failed logins as the audit service sees them. The latter are tagged with specific message types (see 'ausearch -m') like for example USER_AUTH. If you didn't explicitly add msgtype exclude rules in /etc/audit/audit.rules or via auditctl then egrep /var/log/audit/audit.log for any "USER*|*LOGIN*" message types or tail /var/log/messages, /var/log/secure and /var/log/audit/audit.log and force a bad login and see what it returns.
 
Old 11-14-2012, 01:31 PM   #3
aj33
LQ Newbie
 
Registered: Nov 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks for your reply.

If I ssh into the machine and enter wrong password. I see this message in /var/log/messages

Nov 14 19:12:19 ncv2_G1158 sshd[3426]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=a.b.com user=test
Nov 14 19:12:22 ncv2_G1158 sshd[3421]: error: PAM: Authentication failure for test from a.b.com


I don't have /var/log/secure at all.

egrep as you suggested shows nothing in the /var/log/audit/audit.log file.

I didn't exclude and msgtype for exclusion.

If I
su - test
from another login and type incorrect password, then even the /var/log/messages has nothing.

I still see correct information for the ssh failures when I run
pam_tally2 command

Thanks again for your help.
 
Old 11-14-2012, 01:54 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
OK. Better list this machines distribution and (r)syslog(-ng) and audit software version first.
 
Old 11-14-2012, 02:16 PM   #5
aj33
LQ Newbie
 
Registered: Nov 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
It is somewhat custom incarnation of ubuntu distribution. We had to get some newer kernel stuff into our stable kernel version in order to enable the AUDIT flag for arm processor.

$uname -a
Linux ncv2_G1158 3.6.3-nc2-r6+ #42 PREEMPT Mon Nov 5 11:12:14 PST 2012 armv5tel GNU/Linux

audit - 2.2.1-r4 - audit version 2.2.1-r4

syslog-ng - 2.1.1-r0 - syslog-ng version 2.1.1-r0

Much appreciate your help!!
 
Old 11-15-2012, 08:10 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by aj33 View Post
We had to get some newer kernel stuff into our stable kernel version in order to enable the AUDIT flag for arm processor.
Your kernel and SW versions are newer than what I use so that shouldn't be the problem. But audisp and audit rely on messages the kernel shoves their way. They can't respond to what isn't sent. The validity of your kernel patches would be the first thing to check IMHO.
 
Old 11-15-2012, 01:18 PM   #7
aj33
LQ Newbie
 
Registered: Nov 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Okay Thanks.

Although, the only things that was picked up from the kernel was to enable ARM flag.

I will check that. In the meantime, if there is anything else somebody can think of for me to check, please let me know.

Many thanks.

AJ
 
Old 11-15-2012, 01:42 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,539
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
"Getting newer kernel stuff into our stable kernel" implies you've used an Ubuntu kernel and patched it. Posting the Ubuntu kernel source version (or is it just plain "3.6.3"?) and any kernel-related comments and attaching any patches and your kernel config may benefit others looking into this.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Logrotate - what is rotating /var/log/audit/audit.log? veeruk101 Linux - Newbie 3 11-03-2011 07:53 PM
Pam_tally2 lockout in audit log killfast Linux - Security 4 02-16-2011 08:23 PM
[Linux Audit]: Which groups should be allowed to read audit log files? quanba Linux - Security 1 11-15-2010 10:09 AM
auditd: auditd startup failed cmschube Red Hat 2 05-11-2009 07:08 AM
auditd audit.log not display date or user mccartjd Linux - Security 10 06-11-2008 08:17 PM


All times are GMT -5. The time now is 08:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration