[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: use of syslog by pam_unix



On Fri, 25 Mar 2005, Jason Pepas wrote:

2) LOG_ALERT. According to syslog(2):

#define KERN_ALERT "<1>" /* action must be taken immediately */

I would posit that a client attempting to authenticate with a non-existing
username does not meet this criteria.  In my opinion an argument can be made
that this is not even an error condition, and thus should be at level
LOG_WARNING or below.


I think this should be configurable, based on end user preference to prioritize and respond to such events. In a high security environment, this could indicate a user, malicious or otherwise, going where they shouldn't be. How you report this to your log management / analysis tools is completely dependent on your security stance and reaction requirements.


- billn


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]