failed "su -" are not logged to /var/log/authlog

Support for security such as Firewalls and securing linux
MarioT
Posts: 62
Joined: 2006/03/10 14:20:49

failed "su -" are not logged to /var/log/authlog

Post by MarioT » 2021/01/28 11:58:44

Hello,

If I "su -" and miss the password it's logged to /var/log/authlog.
I noticed at one server this is not happening.
Can someone point me what mechanism is responsible for logging of su - and what I can check.

Thanks
Mario

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: failed "su -" are not logged to /var/log/authlog

Post by sml » 2021/01/28 12:37:06

Do you see this behavior with su - only? Or also with other authentication mechanisms (login, polkit, sudo, etc.)?

By default, /etc/pam.d/su includes system-auth just like many other services do:

Code: Select all

$ grep -r '^auth.*system-auth$' /etc/pam.d
/etc/pam.d/config-util:auth		include		system-auth
/etc/pam.d/chfn:auth       include      system-auth
/etc/pam.d/chsh:auth       include      system-auth
/etc/pam.d/login:auth       substack     system-auth
/etc/pam.d/su:auth		substack	system-auth
/etc/pam.d/polkit-1:auth       include      system-auth
/etc/pam.d/crond:auth       include    system-auth
/etc/pam.d/vlock:auth       include      system-auth
/etc/pam.d/sudo:auth       include      system-auth
/etc/pam.d/passwd:auth       include	system-auth

MarioT
Posts: 62
Joined: 2006/03/10 14:20:49

Re: failed "su -" are not logged to /var/log/authlog

Post by MarioT » 2021/01/28 13:47:30

Thanks for replay.
I tried to login with ssh and wrong password (not as root but other user), nothing is written in authlog.
pam.d says this;

Code: Select all

 grep -r '^auth.*system-auth$' /etc/pam.d
/etc/pam.d/vlock:auth       include      system-auth
/etc/pam.d/polkit-1:auth       include      system-auth
/etc/pam.d/screen:auth  include         system-auth
/etc/pam.d/sudo:auth       include      system-auth
/etc/pam.d/chsh:auth       include      system-auth
/etc/pam.d/login:auth       substack     system-auth
/etc/pam.d/su:auth              substack        system-auth
/etc/pam.d/pluto:auth include system-auth
/etc/pam.d/config-util:auth             include         system-auth
/etc/pam.d/passwd:auth       include    system-auth
/etc/pam.d/chfn:auth       include      system-auth
/etc/pam.d/crond:auth       include    system-auth

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: failed "su -" are not logged to /var/log/authlog

Post by TrevorH » 2021/01/28 14:50:15

As far as I know, /var/log/auth.oog is a debianism. CentOS uses /var/log/secure.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: failed "su -" are not logged to /var/log/authlog

Post by sml » 2021/01/28 15:02:50

This line in /etc/pam.d/system-auth-ac handles logging of failed user login attempts:

Code: Select all

auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success

MarioT
Posts: 62
Joined: 2006/03/10 14:20:49

Re: failed "su -" are not logged to /var/log/authlog

Post by MarioT » 2021/01/29 08:21:47

sml wrote:
2021/01/28 15:02:50
This line in /etc/pam.d/system-auth-ac handles logging of failed user login attempts:

Code: Select all

auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success

Line exist

Code: Select all

auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
and file has same permission as file at the good server

Code: Select all

 ls -l /etc/pam.d/system-auth-ac
-rw-r--r--. 1 root root 1132 Nov 19 16:35 /etc/pam.d/system-auth-ac

MarioT
Posts: 62
Joined: 2006/03/10 14:20:49

Re: failed "su -" are not logged to /var/log/authlog

Post by MarioT » 2021/01/29 08:27:00

TrevorH wrote:
2021/01/28 14:50:15
As far as I know, /var/log/auth.oog is a debianism. CentOS uses /var/log/secure.
CentOS use /var/log/authlog (not auth.log) and also /var/log/secure.
Now, I notice nothing is written to /var/log/secure too.
In good case

Code: Select all

Jan 29 2021 09:16:40 hostname103 su: pam_unix(su-l:auth): authentication failure; logname=mario uid=2000 euid=0 tty=pts/1 ruser=mario rhost=  user=roo

bad case, nothing is written to secure after missing root password.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: failed "su -" are not logged to /var/log/authlog

Post by TrevorH » 2021/01/29 09:41:25

CentOS use /var/log/authlog (not auth.log) and also /var/log/secure.
No, really, it does not. Not out of the box anyway. It could be configured that way afterwards by an admin but a default CentOS system does not have a log file under /var/log/ whose name starts with auth...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

MarioT
Posts: 62
Joined: 2006/03/10 14:20:49

Re: failed "su -" are not logged to /var/log/authlog

Post by MarioT » 2021/01/29 12:32:23

TrevorH wrote:
2021/01/29 09:41:25
No, really, it does not. Not out of the box anyway. It could be configured that way afterwards by an admin but a default CentOS system does not have a log file under /var/log/ whose name starts with auth...
OK, you are right, I checked one pristine CentOS . Obviously server(s) I'm handling are customized.
But authlog it self is not a problem. As stated in one post, it does not write to /var/log/secure as well.

The other server is writing things in authlog and secure.
Something is broken but can ot find what.

Br
Mario

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: failed "su -" are not logged to /var/log/authlog

Post by sml » 2021/01/29 16:25:56

Check the contents of /etc/pam.d/su-l. By default, it should just include su. In this case, only records of type auth are relevant. Follow and resolve all the include/substack chains. Find out what is it about the server in question that is configured differently from the other server.

Code: Select all

grep ^auth /etc/pam.d/{su-l,su,system-auth,postlogin}

Post Reply