failed "su -" are not logged to /var/log/authlog
failed "su -" are not logged to /var/log/authlog
Hello,
If I "su -" and miss the password it's logged to /var/log/authlog.
I noticed at one server this is not happening.
Can someone point me what mechanism is responsible for logging of su - and what I can check.
Thanks
Mario
If I "su -" and miss the password it's logged to /var/log/authlog.
I noticed at one server this is not happening.
Can someone point me what mechanism is responsible for logging of su - and what I can check.
Thanks
Mario
Re: failed "su -" are not logged to /var/log/authlog
Do you see this behavior with su - only? Or also with other authentication mechanisms (login, polkit, sudo, etc.)?
By default, /etc/pam.d/su includes system-auth just like many other services do:
By default, /etc/pam.d/su includes system-auth just like many other services do:
Code: Select all
$ grep -r '^auth.*system-auth$' /etc/pam.d
/etc/pam.d/config-util:auth include system-auth
/etc/pam.d/chfn:auth include system-auth
/etc/pam.d/chsh:auth include system-auth
/etc/pam.d/login:auth substack system-auth
/etc/pam.d/su:auth substack system-auth
/etc/pam.d/polkit-1:auth include system-auth
/etc/pam.d/crond:auth include system-auth
/etc/pam.d/vlock:auth include system-auth
/etc/pam.d/sudo:auth include system-auth
/etc/pam.d/passwd:auth include system-auth
Re: failed "su -" are not logged to /var/log/authlog
Thanks for replay.
I tried to login with ssh and wrong password (not as root but other user), nothing is written in authlog.
pam.d says this;
I tried to login with ssh and wrong password (not as root but other user), nothing is written in authlog.
pam.d says this;
Code: Select all
grep -r '^auth.*system-auth$' /etc/pam.d
/etc/pam.d/vlock:auth include system-auth
/etc/pam.d/polkit-1:auth include system-auth
/etc/pam.d/screen:auth include system-auth
/etc/pam.d/sudo:auth include system-auth
/etc/pam.d/chsh:auth include system-auth
/etc/pam.d/login:auth substack system-auth
/etc/pam.d/su:auth substack system-auth
/etc/pam.d/pluto:auth include system-auth
/etc/pam.d/config-util:auth include system-auth
/etc/pam.d/passwd:auth include system-auth
/etc/pam.d/chfn:auth include system-auth
/etc/pam.d/crond:auth include system-auth
Re: failed "su -" are not logged to /var/log/authlog
As far as I know, /var/log/auth.oog is a debianism. CentOS uses /var/log/secure.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: failed "su -" are not logged to /var/log/authlog
This line in /etc/pam.d/system-auth-ac handles logging of failed user login attempts:
Code: Select all
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
Re: failed "su -" are not logged to /var/log/authlog
sml wrote: ↑2021/01/28 15:02:50This line in /etc/pam.d/system-auth-ac handles logging of failed user login attempts:Code: Select all
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
Line exist
Code: Select all
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
Code: Select all
ls -l /etc/pam.d/system-auth-ac
-rw-r--r--. 1 root root 1132 Nov 19 16:35 /etc/pam.d/system-auth-ac
Re: failed "su -" are not logged to /var/log/authlog
CentOS use /var/log/authlog (not auth.log) and also /var/log/secure.
Now, I notice nothing is written to /var/log/secure too.
In good case
Code: Select all
Jan 29 2021 09:16:40 hostname103 su: pam_unix(su-l:auth): authentication failure; logname=mario uid=2000 euid=0 tty=pts/1 ruser=mario rhost= user=roo
bad case, nothing is written to secure after missing root password.
Re: failed "su -" are not logged to /var/log/authlog
No, really, it does not. Not out of the box anyway. It could be configured that way afterwards by an admin but a default CentOS system does not have a log file under /var/log/ whose name starts with auth...CentOS use /var/log/authlog (not auth.log) and also /var/log/secure.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: failed "su -" are not logged to /var/log/authlog
OK, you are right, I checked one pristine CentOS . Obviously server(s) I'm handling are customized.
But authlog it self is not a problem. As stated in one post, it does not write to /var/log/secure as well.
The other server is writing things in authlog and secure.
Something is broken but can ot find what.
Br
Mario
Re: failed "su -" are not logged to /var/log/authlog
Check the contents of /etc/pam.d/su-l. By default, it should just include su. In this case, only records of type auth are relevant. Follow and resolve all the include/substack chains. Find out what is it about the server in question that is configured differently from the other server.
Code: Select all
grep ^auth /etc/pam.d/{su-l,su,system-auth,postlogin}