use of syslog by pam_unix
Bill Nash
billn at billn.net
Fri Mar 25 21:48:51 UTC 2005
On Fri, 25 Mar 2005, Jason Pepas wrote:
> 2) LOG_ALERT. According to syslog(2):
>
> #define KERN_ALERT "<1>" /* action must be taken immediately */
>
> I would posit that a client attempting to authenticate with a non-existing
> username does not meet this criteria. In my opinion an argument can be made
> that this is not even an error condition, and thus should be at level
> LOG_WARNING or below.
>
I think this should be configurable, based on end user preference to
prioritize and respond to such events. In a high security environment,
this could indicate a user, malicious or otherwise, going where they
shouldn't be. How you report this to your log management / analysis tools
is completely dependent on your security stance and reaction requirements.
- billn
More information about the Pam-list
mailing list