use of syslog by pam_unix

Bill Nash billn at billn.net
Fri Mar 25 21:48:51 UTC 2005


On Fri, 25 Mar 2005, Jason Pepas wrote:

> 2) LOG_ALERT.  According to syslog(2):
>
>    #define KERN_ALERT    "<1>"  /* action must be taken immediately */
>
> I would posit that a client attempting to authenticate with a non-existing
> username does not meet this criteria.  In my opinion an argument can be made
> that this is not even an error condition, and thus should be at level
> LOG_WARNING or below.
>

I think this should be configurable, based on end user preference to 
prioritize and respond to such events. In a high security environment, 
this could indicate a user, malicious or otherwise, going where they 
shouldn't be. How you report this to your log management / analysis tools 
is completely dependent on your security stance and reaction requirements.

- billn




More information about the Pam-list mailing list