HPE Community
Operating System - HP-UX
1826697 Members
2572 Online
109696 Solutions
New Discussion

Re: Auditing Passwrod Changes

 
Siju Jose_1
Frequent Advisor

‎12-05-2006 01:13 AM

‎12-05-2006 01:13 AM

Auditing Passwrod Changes

Hi

As part of an audit we are asked to log password changes(both successful and unsuccesful). This includes root as well as other users. We have both trusted and non-trusted systems. With 'debug' enabled in pam.conf we were able to get the data to a log file , but lot of unwanted information is collected along this. Is there a way we can collect only the password changes to a log file ?

Regards
Siju
0 Kudos
Reply
5 REPLIES 5
Peter Godron
Honored Contributor

‎12-05-2006 01:58 AM

‎12-05-2006 01:58 AM

Re: Auditing Passwrod Changes

Siju,
you have been asked to log the password changes, which is what you have achieved.

All the info you required is in the log file, and the auditor can assured him/herself that the information can be found.
If the auditor still wants to see an 'nice' report, ask your company for the money to develop this system and see how quickly the requirement disappears. ;-)

But seriously, you may have to filter the logfile (grep/awk/sed). Can you give an example or test log file and what your required output needs to be?
0 Kudos
Reply
Siju Jose_1
Frequent Advisor

‎12-05-2006 02:42 AM

‎12-05-2006 02:42 AM

Re: Auditing Passwrod Changes

Hi Peter

Thanks for the help.

The problem is that once I put *.debug in the syslog.conf, it will start logging the info for SSH also and this is going to fill the log file pretty fast. If I can redirect only the password related info to a file it will make it a lot easier. Any way to do that ?

Regards
Siju
0 Kudos
Reply
Peter Godron
Honored Contributor

‎12-05-2006 02:47 AM

‎12-05-2006 02:47 AM

Re: Auditing Passwrod Changes

Hi,
you can split at local.

Please see:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=267234
and
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=29797
0 Kudos
Reply
Siju Jose_1
Frequent Advisor

‎12-05-2006 04:58 PM

‎12-05-2006 04:58 PM

Re: Auditing Passwrod Changes


Hi

This is not working as I wanted. I have the following entries in my /etc/syslog.conf

mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
auth.info;mail.none /var/adm/syslog/sshd.log
*.debug /var/adm/syslog/info.log
local1.none /var/adm/syslog/syslog.log

I have changed the logging levels in sshd_config file to following

SyslogFacility AUTH
LogLevel INFO


Now since the setting is *.debug any debug message including the sshd login related messges are being logged as follows in /var/adm/syslog/info.log.

Dec 6 05:34:25 xxxxxxxx PAM: pam_start(sshd root)
Dec 6 05:34:25 xxxxxxxx PAM: pam_set_item(1)
Dec 6 05:34:25 xxxxxxxx PAM: pam_set_item(2)
Dec 6 05:34:25 xxxxxxxx PAM: pam_set_item(5)
Dec 6 05:34:25 xxxxxxxx PAM: pam_set_item(4)
Dec 6 05:34:25 xxxxxxxx PAM: pam_authenticate()
Dec 6 05:34:25 xxxxxxxx PAM: load_modules: /usr/lib/security/libpam_unix.1
Dec 6 05:34:25 xxxxxxxx PAM: load_function: successful load of pam_sm_authenticate
Dec 6 05:34:25 xxxxxxxx PAM: pam_set_item(5)
Dec 6 05:34:25 xxxxxxxx PAM: pam_get_username(ux)
Dec 6 05:34:25 xxxxxxxx PAM: pam_mapping_in_use()
Dec 6 05:34:30 xxxxxxxx PAM: pam_set_item(6)
Dec 6 05:34:30 xxxxxxxx PAM: pam_acct_mgmt()
Dec 6 05:34:30 xxxxxxxx PAM: load_modules: /usr/lib/security/libpam_unix.1
Dec 6 05:34:30 xxxxxxxx PAM: load_function: successful load of pam_sm_acct_mgmt
Dec 6 05:34:30 xxxxxxxx PAM: pam_set_item(6)
Dec 6 05:34:30 xxxxxxxx PAM: pam_get_username(ux)
Dec 6 05:34:30 xxxxxxxx PAM: pam_mapping_in_use()
Dec 6 05:34:30 xxxxxxxx sshd[18113]: Accepted keyboard-interactive/pam for root from 172.25.219.135 port 2077 ssh2
Dec 6 05:34:30 xxxxxxxx sshd[18113]: pam_set_item(3)
Dec 6 05:34:30 xxxxxxxx sshd[18113]: pam_set_item(5)
Dec 6 05:34:30 xxxxxxxx sshd[18113]: pam_setcred()
Dec 6 05:34:30 xxxxxxxx sshd[18113]: load_modules: /usr/lib/security/libpam_unix.1
Dec 6 05:34:30 xxxxxxxx sshd[18113]: load_function: successful load of pam_sm_setcred
Dec 6 05:34:30 xxxxxxxx sshd[18119]: pam_set_item(5)
Dec 6 05:34:30 xxxxxxxx sshd[18119]: pam_open_session()
Dec 6 05:34:30 xxxxxxxx sshd[18119]: load_modules: /usr/lib/security/libpam_unix.1
Dec 6 05:34:30 xxxxxxxx sshd[18119]: load_function: successful load of pam_sm_open_session
Dec 6 05:34:30 xxxxxxxx sshd[18119]: pam_get_username(ux)
Dec 6 05:34:30 xxxxxxxx sshd[18119]: pam_mapping_in_use()

That means it logs everything including the login messages. Is there any way to restrict the messages to PAM or only the password changes.

ANy help would be much appreciated.

Regards
Siju
0 Kudos
Reply
rlastinger
New Member

‎04-30-2007 07:47 AM

‎04-30-2007 07:47 AM

Re: Auditing Passwrod Changes

Have you tried configuring syslog.conf to support authpriv?

I think that's what I use to get that info.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.