How can I audit su access through pam.d in RHEL 7











up vote
0
down vote

favorite












I am a system auditor with very limited knowledge of Linux OS. I am currently auditing a RHEL 7 server and found out that a group of users are authenticating through LDAP and using 'su' through PAM. I'd like to know the interpretation of the following file content and where can I view their access logs.



etc/pam.d/su

#%PAM-1.0
auth sufficient pam_rootok.so
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup bdbadmin
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-bdbadmin-access
auth required pam_wheel.so use_uid group=bdbadmin
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup wheel
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-wheel-access
auth required pam_wheel.so use_uid group=wheel

"# Uncomment the following line to implicitly trust users in the "wheel" group.
"#auth sufficient pam_wheel.so trust use_uid
"# Uncomment the following line to require a user to be in the "wheel" group.
"#auth required pam_wheel.so use_uid

auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so


As per my understanding, the users in group bdbadmin are allowed to su access but I don't know where to look for a sudoers list or their access logs.



Thanks in advance.










share|improve this question









New contributor




Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    0
    down vote

    favorite












    I am a system auditor with very limited knowledge of Linux OS. I am currently auditing a RHEL 7 server and found out that a group of users are authenticating through LDAP and using 'su' through PAM. I'd like to know the interpretation of the following file content and where can I view their access logs.



    etc/pam.d/su

    #%PAM-1.0
    auth sufficient pam_rootok.so
    auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup bdbadmin
    auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-bdbadmin-access
    auth required pam_wheel.so use_uid group=bdbadmin
    auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup wheel
    auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-wheel-access
    auth required pam_wheel.so use_uid group=wheel

    "# Uncomment the following line to implicitly trust users in the "wheel" group.
    "#auth sufficient pam_wheel.so trust use_uid
    "# Uncomment the following line to require a user to be in the "wheel" group.
    "#auth required pam_wheel.so use_uid

    auth substack system-auth
    auth include postlogin
    account sufficient pam_succeed_if.so uid = 0 use_uid quiet
    account include system-auth
    password include system-auth
    session include system-auth
    session include postlogin
    session optional pam_xauth.so


    As per my understanding, the users in group bdbadmin are allowed to su access but I don't know where to look for a sudoers list or their access logs.



    Thanks in advance.










    share|improve this question









    New contributor




    Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am a system auditor with very limited knowledge of Linux OS. I am currently auditing a RHEL 7 server and found out that a group of users are authenticating through LDAP and using 'su' through PAM. I'd like to know the interpretation of the following file content and where can I view their access logs.



      etc/pam.d/su

      #%PAM-1.0
      auth sufficient pam_rootok.so
      auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup bdbadmin
      auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-bdbadmin-access
      auth required pam_wheel.so use_uid group=bdbadmin
      auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup wheel
      auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-wheel-access
      auth required pam_wheel.so use_uid group=wheel

      "# Uncomment the following line to implicitly trust users in the "wheel" group.
      "#auth sufficient pam_wheel.so trust use_uid
      "# Uncomment the following line to require a user to be in the "wheel" group.
      "#auth required pam_wheel.so use_uid

      auth substack system-auth
      auth include postlogin
      account sufficient pam_succeed_if.so uid = 0 use_uid quiet
      account include system-auth
      password include system-auth
      session include system-auth
      session include postlogin
      session optional pam_xauth.so


      As per my understanding, the users in group bdbadmin are allowed to su access but I don't know where to look for a sudoers list or their access logs.



      Thanks in advance.










      share|improve this question









      New contributor




      Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I am a system auditor with very limited knowledge of Linux OS. I am currently auditing a RHEL 7 server and found out that a group of users are authenticating through LDAP and using 'su' through PAM. I'd like to know the interpretation of the following file content and where can I view their access logs.



      etc/pam.d/su

      #%PAM-1.0
      auth sufficient pam_rootok.so
      auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup bdbadmin
      auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-bdbadmin-access
      auth required pam_wheel.so use_uid group=bdbadmin
      auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup wheel
      auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-wheel-access
      auth required pam_wheel.so use_uid group=wheel

      "# Uncomment the following line to implicitly trust users in the "wheel" group.
      "#auth sufficient pam_wheel.so trust use_uid
      "# Uncomment the following line to require a user to be in the "wheel" group.
      "#auth required pam_wheel.so use_uid

      auth substack system-auth
      auth include postlogin
      account sufficient pam_succeed_if.so uid = 0 use_uid quiet
      account include system-auth
      password include system-auth
      session include system-auth
      session include postlogin
      session optional pam_xauth.so


      As per my understanding, the users in group bdbadmin are allowed to su access but I don't know where to look for a sudoers list or their access logs.



      Thanks in advance.







      security sudo redhat-enterprise-linux authentication pam






      share|improve this question









      New contributor




      Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited Nov 16 at 8:57









      Ahmed Ashour

      998610




      998610






      New contributor




      Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked Nov 16 at 7:09









      Faizan Farooqi

      1




      1




      New contributor




      Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          Welcome to StackExchange, and in particular to SuperUser.




          1. The access log is located in /var/log/auth.log, and of course it can only be viewed by root.



          2. The command to list all members of a given group is members, if it is installed in your machine (it is not by default),



            members sudo


            or you can directly parse the /etc/group file which contains the relevant information,



            grep /etc/group sudo


            and you can double-check that with



            group UserName



          to see all groups UserName belongs to.




          1. As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).


          If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.






          share|improve this answer





















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });






            Faizan Farooqi is a new contributor. Be nice, and check out our Code of Conduct.










             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375901%2fhow-can-i-audit-su-access-through-pam-d-in-rhel-7%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            Welcome to StackExchange, and in particular to SuperUser.




            1. The access log is located in /var/log/auth.log, and of course it can only be viewed by root.



            2. The command to list all members of a given group is members, if it is installed in your machine (it is not by default),



              members sudo


              or you can directly parse the /etc/group file which contains the relevant information,



              grep /etc/group sudo


              and you can double-check that with



              group UserName



            to see all groups UserName belongs to.




            1. As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).


            If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.






            share|improve this answer

























              up vote
              0
              down vote













              Welcome to StackExchange, and in particular to SuperUser.




              1. The access log is located in /var/log/auth.log, and of course it can only be viewed by root.



              2. The command to list all members of a given group is members, if it is installed in your machine (it is not by default),



                members sudo


                or you can directly parse the /etc/group file which contains the relevant information,



                grep /etc/group sudo


                and you can double-check that with



                group UserName



              to see all groups UserName belongs to.




              1. As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).


              If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.






              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                Welcome to StackExchange, and in particular to SuperUser.




                1. The access log is located in /var/log/auth.log, and of course it can only be viewed by root.



                2. The command to list all members of a given group is members, if it is installed in your machine (it is not by default),



                  members sudo


                  or you can directly parse the /etc/group file which contains the relevant information,



                  grep /etc/group sudo


                  and you can double-check that with



                  group UserName



                to see all groups UserName belongs to.




                1. As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).


                If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.






                share|improve this answer












                Welcome to StackExchange, and in particular to SuperUser.




                1. The access log is located in /var/log/auth.log, and of course it can only be viewed by root.



                2. The command to list all members of a given group is members, if it is installed in your machine (it is not by default),



                  members sudo


                  or you can directly parse the /etc/group file which contains the relevant information,



                  grep /etc/group sudo


                  and you can double-check that with



                  group UserName



                to see all groups UserName belongs to.




                1. As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).


                If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 16 at 10:41









                MariusMatutiae

                37.8k95195




                37.8k95195






















                    Faizan Farooqi is a new contributor. Be nice, and check out our Code of Conduct.










                     

                    draft saved


                    draft discarded


















                    Faizan Farooqi is a new contributor. Be nice, and check out our Code of Conduct.













                    Faizan Farooqi is a new contributor. Be nice, and check out our Code of Conduct.












                    Faizan Farooqi is a new contributor. Be nice, and check out our Code of Conduct.















                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375901%2fhow-can-i-audit-su-access-through-pam-d-in-rhel-7%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    What is the Guru Parampara of Kashmiri Shaivism?

                    Герой Советского Союза

                    Move all files within subfolders to parent folder