How can I audit su access through pam.d in RHEL 7
up vote
0
down vote
favorite
I am a system auditor with very limited knowledge of Linux OS. I am currently auditing a RHEL 7 server and found out that a group of users are authenticating through LDAP and using 'su' through PAM. I'd like to know the interpretation of the following file content and where can I view their access logs.
etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup bdbadmin
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-bdbadmin-access
auth required pam_wheel.so use_uid group=bdbadmin
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup wheel
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-wheel-access
auth required pam_wheel.so use_uid group=wheel
"# Uncomment the following line to implicitly trust users in the "wheel" group.
"#auth sufficient pam_wheel.so trust use_uid
"# Uncomment the following line to require a user to be in the "wheel" group.
"#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
As per my understanding, the users in group bdbadmin are allowed to su access but I don't know where to look for a sudoers list or their access logs.
Thanks in advance.
security sudo redhat-enterprise-linux authentication pam
New contributor
Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
favorite
I am a system auditor with very limited knowledge of Linux OS. I am currently auditing a RHEL 7 server and found out that a group of users are authenticating through LDAP and using 'su' through PAM. I'd like to know the interpretation of the following file content and where can I view their access logs.
etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup bdbadmin
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-bdbadmin-access
auth required pam_wheel.so use_uid group=bdbadmin
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup wheel
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-wheel-access
auth required pam_wheel.so use_uid group=wheel
"# Uncomment the following line to implicitly trust users in the "wheel" group.
"#auth sufficient pam_wheel.so trust use_uid
"# Uncomment the following line to require a user to be in the "wheel" group.
"#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
As per my understanding, the users in group bdbadmin are allowed to su access but I don't know where to look for a sudoers list or their access logs.
Thanks in advance.
security sudo redhat-enterprise-linux authentication pam
New contributor
Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am a system auditor with very limited knowledge of Linux OS. I am currently auditing a RHEL 7 server and found out that a group of users are authenticating through LDAP and using 'su' through PAM. I'd like to know the interpretation of the following file content and where can I view their access logs.
etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup bdbadmin
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-bdbadmin-access
auth required pam_wheel.so use_uid group=bdbadmin
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup wheel
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-wheel-access
auth required pam_wheel.so use_uid group=wheel
"# Uncomment the following line to implicitly trust users in the "wheel" group.
"#auth sufficient pam_wheel.so trust use_uid
"# Uncomment the following line to require a user to be in the "wheel" group.
"#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
As per my understanding, the users in group bdbadmin are allowed to su access but I don't know where to look for a sudoers list or their access logs.
Thanks in advance.
security sudo redhat-enterprise-linux authentication pam
New contributor
Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I am a system auditor with very limited knowledge of Linux OS. I am currently auditing a RHEL 7 server and found out that a group of users are authenticating through LDAP and using 'su' through PAM. I'd like to know the interpretation of the following file content and where can I view their access logs.
etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup bdbadmin
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-bdbadmin-access
auth required pam_wheel.so use_uid group=bdbadmin
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup wheel
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-wheel-access
auth required pam_wheel.so use_uid group=wheel
"# Uncomment the following line to implicitly trust users in the "wheel" group.
"#auth sufficient pam_wheel.so trust use_uid
"# Uncomment the following line to require a user to be in the "wheel" group.
"#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
As per my understanding, the users in group bdbadmin are allowed to su access but I don't know where to look for a sudoers list or their access logs.
Thanks in advance.
security sudo redhat-enterprise-linux authentication pam
security sudo redhat-enterprise-linux authentication pam
New contributor
Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited Nov 16 at 8:57
Ahmed Ashour
998610
998610
New contributor
Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Nov 16 at 7:09
Faizan Farooqi
1
1
New contributor
Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Faizan Farooqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
Welcome to StackExchange, and in particular to SuperUser.
The access log is located in /var/log/auth.log, and of course it can only be viewed by root.
The command to list all members of a given group is members, if it is installed in your machine (it is not by default),
members sudo
or you can directly parse the /etc/group file which contains the relevant information,
grep /etc/group sudo
and you can double-check that with
group UserName
to see all groups UserName belongs to.
- As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).
If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Welcome to StackExchange, and in particular to SuperUser.
The access log is located in /var/log/auth.log, and of course it can only be viewed by root.
The command to list all members of a given group is members, if it is installed in your machine (it is not by default),
members sudo
or you can directly parse the /etc/group file which contains the relevant information,
grep /etc/group sudo
and you can double-check that with
group UserName
to see all groups UserName belongs to.
- As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).
If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.
add a comment |
up vote
0
down vote
Welcome to StackExchange, and in particular to SuperUser.
The access log is located in /var/log/auth.log, and of course it can only be viewed by root.
The command to list all members of a given group is members, if it is installed in your machine (it is not by default),
members sudo
or you can directly parse the /etc/group file which contains the relevant information,
grep /etc/group sudo
and you can double-check that with
group UserName
to see all groups UserName belongs to.
- As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).
If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.
add a comment |
up vote
0
down vote
up vote
0
down vote
Welcome to StackExchange, and in particular to SuperUser.
The access log is located in /var/log/auth.log, and of course it can only be viewed by root.
The command to list all members of a given group is members, if it is installed in your machine (it is not by default),
members sudo
or you can directly parse the /etc/group file which contains the relevant information,
grep /etc/group sudo
and you can double-check that with
group UserName
to see all groups UserName belongs to.
- As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).
If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.
Welcome to StackExchange, and in particular to SuperUser.
The access log is located in /var/log/auth.log, and of course it can only be viewed by root.
The command to list all members of a given group is members, if it is installed in your machine (it is not by default),
members sudo
or you can directly parse the /etc/group file which contains the relevant information,
grep /etc/group sudo
and you can double-check that with
group UserName
to see all groups UserName belongs to.
- As for PAM and the file su, you should know that by default PAM uses a configuration file located in /etc/pam.conf unless the directory /etc/pam.d/ is not empty (your case), in which case the directory content has higher precedence. The syntax of the entries is best learned by referencing the manual here; this Web page first discusses the syntax of the /etc/pam.conf file, then that of the /etc/pam.d/ directory, which is marginally different (and now you see why I had to mention the difference above).
If you have a specific question about the content of the ruleset in su above, which after reading the Manual appears quite transparent to me, I will be happy to answer it, if I can.
answered Nov 16 at 10:41
MariusMatutiae
37.8k95195
37.8k95195
add a comment |
add a comment |
Faizan Farooqi is a new contributor. Be nice, and check out our Code of Conduct.
Faizan Farooqi is a new contributor. Be nice, and check out our Code of Conduct.
Faizan Farooqi is a new contributor. Be nice, and check out our Code of Conduct.
Faizan Farooqi is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375901%2fhow-can-i-audit-su-access-through-pam-d-in-rhel-7%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown