{"id":62,"date":"2006-11-24T17:06:57","date_gmt":"2006-11-24T22:06:57","guid":{"rendered":"http:\/\/raffy.ch\/blog\/?p=62"},"modified":"2006-11-24T17:06:57","modified_gmt":"2006-11-24T22:06:57","slug":"linux-auditing-again","status":"publish","type":"post","link":"https:\/\/raffy.ch\/blog\/2006\/11\/24\/linux-auditing-again\/","title":{"rendered":"Linux Auditing – Again!"},"content":{"rendered":"

I keep running into these little annoyances in Linux. (And as I said here before, I love Linux, but there are some things which are just bad.) This time I was trying to see what happens if you lock an accound. You didn’t even know you could do that?<\/p>\n

passwd -l <\/user><\/pre>\n
Do you know what syslog has to say about this?<\/p>\n
Nov 14 16:35:12 zurich passwd[21226]: password for `test' changed by `root'<\/pre>\n
And even worse, if you unlock:<\/p>\n
passwd -u <\/user><\/pre>\n
Linux says:<\/p>\n
<\/pre>\n
Nov 14 16:35:12 zurich passwd[21226]: password for `test' changed by `root'<\/pre>\n
Great! What am I supposed to do with this? Is a password change really the same as a lock out of a user?<\/p>\n
To continue on the path of auditing and such, have you tried to configure an automatic lock-out after a certain amount of failed logins? Good luck. After a while you might find pam_telly<\/b>. You have to use this PAM module to achive that lockout. You can configure after how many failed passwords an account gets locked. Again, why is this in such a hidden module? Why not built-in? Is anyone going to rebuild the authentication sub-system? Please? And if you are at it, rethink the whole logging infrastructure too! Don’t forget to use a common log format, a specific fixed format that enforces certain information and is parsable! Stop logging copyright messages into syslog (Ok: dhclient?).<\/p>\n","protected":false},"excerpt":{"rendered":"
I keep running into these little annoyances in Linux. (And as I said here before, I love Linux, but there are some things which are just bad.) This time I was trying to see what happens if you lock an accound. You didn’t even know you could do that? passwd -l Do you know what […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-62","post","type-post","status-publish","format-standard","hentry","category-log-analysis","category-unix-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/62","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/comments?post=62"}],"version-history":[{"count":0,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/62\/revisions"}],"wp:attachment":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/media?parent=62"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/categories?post=62"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/tags?post=62"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}