July 24, 2006

Linux / Unix Audit Logs

Category: UNIX Security — Raffael Marty @ 12:01 am

I am disappointed. Have you ever tried to audit your linux system? Well, have you tried to get syslog events for password changes? Why would linux not log an event like that? You have to go and mess with the PAM configuration of you system. And I don’t think it’s straight forward to actually get the user management sub-system to log audit events. I want to know when someone changes his password or a user account is disabled! I guess part of the problem is that you can always go to the configuration files (/etc/passwd) and just change the entries yourself, but you know, we are in 2006, you would thing someone has figured out how to audit these things. Have I already mentioned that I am disappointed? And don’t misunderstand me. I love Linux, but still.
One solution that VanHauser recommended was LAUS. An auditing subsystem which was initially developed for SUSE. A port for Redhat exists also. Since I switched to Ubuntu, I tried an apt-get install laus. No luck. Too bad.
Maybe I am just missing something and there is a solution to the audit log shortcomings of Linux?

4 Comments »

  1. Did you try snare from http://www.intersectalliance.com/?

    Comment by msvenk — July 27, 2006 @ 3:36 pm

  2. Hi Raffy,

    You’re completly right – it’s sad…

    Have you tried SNARE? You’ll find it at
    http://www.intersectalliance.com/projects/Snare/index.html.

    GRSecurity and SELinux also can produce better audit
    trails…

    Regards,
    Christian

    Comment by Christian Ehlen — August 1, 2006 @ 11:56 am

  3. Yes, SELinux with the audit capabilities works for more detailed auditing. However, not everyone has the luxory of being able to install them and have them on their servers. But good point.

    Snare, aye? I gotta be honest. I just had a “duh” moment. I thought Snare was just a way to get Windows Event logs into syslog. But looking at the Web page I realized that you can use it to do auditing on Linux. I will sure try that.

    I am still a bit frustrated. My favorite OS does not log password changes by default. What a shame!

    Comment by Raffy — August 1, 2006 @ 12:10 pm

  4. What was the outcome? I can’t find a snare patch for the 2.6.15-23 kernel that comes with Xubuntu. Any luck?

    Comment by Carl — October 13, 2006 @ 6:35 pm

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .