[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: syslog options, OPIE (S/Key) -- When?



On Mon, 12 May 1997, Jim Dennis wrote:
[...]
>I'd like to find (or build) a modified copy of PAM passwd that would
>log the following sort of information about attempts to change passwords:
>
>May  9 01:13:41 myhost passwd: failed for root from  192.168.22.57
>May  9 01:17:41 myhost passwd: forced for jon from  /dev/tty4 (jimd)
>May  9 08:13:41 myhost passwd: changed for gary from  /dev/ttyS1 
>
>... the idea here is to know whenever a passwd change is attempted --
>and when it was successful, forced by root, or failed.  I also want to
>know where it came from (device or IP address) and the ownership of the
>controlling tty (in the case of forced changes).

I'd rather have:

May  9 01:13:41 myhost passwd[1435]: failed for root by jimd on /dev/pty3
May  9 01:17:41 myhost passwd[612]: forced for jon by jimd on /dev/tty4
May  9 08:13:41 myhost passwd[30042]: changed for gary by jimd on /dev/ttyS1 

Knowing the (PID and username and time) or the (PID and terminal and
time) or the (username and terminal and time) is enough to get you the
IP address (via wtmp).  Putting an IP address in there implies that
changing a password is a network opation; it isn't.

>This last requirement gives a hint as to which member of "wheel" issued
>a change.  That would be a useful -- though not "strong" -- audit issue.

I like the idea of knowing who changed someone else's password.

>(While we're on the topic of syslogging it would also be nice to syslog
>all 'chmod +s' attempts and successes).

That would require a change to "chmod", which is outside the pervue of
PAM.

[...]
>What I'd like to do with this log is to use my existing log monitor
>(just a shell script at this point -- that does a "tail -f" piped into
>an awk script)...

If you haven't already done so, you might consider using "swatch"
(shipped with Red Hat Linux 4.1) to monitor your logs.

>...to mail confirmation/warning messages off to a user any time a change
>is attempted.

And notify a successfull hacker that you noticed their attempts?  It would
probably be a better idea to fire-off a message to your support folks
and have them call the user directly.

-- 
    Steve Coile           P a t r i o t  N e t      Systems Engineering
 scoile@patriot.net      Patriot Computer Group        (703) 277-7737



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []