-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I want SuSE 8.1 to log successful logins at the console into /var/log/messages. I've set the corresponding option at YaST (at "Security and Users --> Security settings"), but successful logins are only logged to /var/log/wtmp. Can anybody tell me how I can log them to /var/log/messages, please? Thank you very much, Arno -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+ZfzpNWaBQfbZkHYRAj7aAJ0dkFdegFsbD/C74i7bzlrdeb/dZwCfd2uY dKkqMTdDXRyyafCg7EDxNcM= =3EY5 -----END PGP SIGNATURE-----
On Wed, Mar 05, 2003 at 02:34:25PM +0100, Arno Luppold wrote:
I want SuSE 8.1 to log successful logins at the console into /var/log/messages. I've set the corresponding option at YaST (at "Security and Users --> Security settings"), but successful logins are only logged to /var/log/wtmp. Can anybody tell me how I can log them to /var/log/messages, please?
from my /etc/syslog.conf: kern.warn;*.err;authpriv.none /dev/tty10 kern.warn;*.err;authpriv.none |/dev/xconsole *.emerg * # enable this, if you want that root is informed # immediately, e.g. of logins #*.alert root from that I guess you need to add: authpriv.alert -/var/log/messages hth, Lars
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 05 March 2003 15:00, Lars Ellenberg wrote:
On Wed, Mar 05, 2003 at 02:34:25PM +0100, Arno Luppold wrote:
[howto log successful console-logins to /var/log/messages]
from my /etc/syslog.conf: [...] from that I guess you need to add:
authpriv.alert -/var/log/messages
Didn't help. I also logged all debug, info, warn, alert and emerg Messages, and it still didn't log successsful logins. I also tried logging everything with priority debug and higher to /var/log/debug and there no lines about successful logins showed up. I restarted my syslog daemon after the changes. It seems to me as if notifications about successful logins aren't sent to syslog. Arno -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+ZjK6NWaBQfbZkHYRAmLqAJ9aPq5DyQyTJzsEamqVE+Blp6aBuwCeNzZP TVdawvFl3GtTGPe7Len7lYU= =by1w -----END PGP SIGNATURE-----
On Wed, 2003-03-05 at 12:24, Arno Luppold wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday 05 March 2003 15:00, Lars Ellenberg wrote:
On Wed, Mar 05, 2003 at 02:34:25PM +0100, Arno Luppold wrote:
[howto log successful console-logins to /var/log/messages]
from my /etc/syslog.conf: [...] from that I guess you need to add:
authpriv.alert -/var/log/messages
Didn't help. I also logged all debug, info, warn, alert and emerg Messages, and it still didn't log successsful logins. I also tried logging everything with priority debug and higher to /var/log/debug and there no lines about successful logins showed up. I restarted my syslog daemon after the changes. It seems to me as if notifications about successful logins aren't sent to syslog.
Arno -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+ZjK6NWaBQfbZkHYRAmLqAJ9aPq5DyQyTJzsEamqVE+Blp6aBuwCeNzZP TVdawvFl3GtTGPe7Len7lYU= =by1w -----END PGP SIGNATURE-----
Did you remember to restart syslog after making changes? rcsyslog reload Ken Schneider
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 05 March 2003 18:28, Ken Schneider wrote:
On Wed, 2003-03-05 at 12:24, Arno Luppold wrote:
[...] I restarted my syslog daemon after the changes.
Did you remember to restart syslog after making changes?
Yes, look above :-). It also logged everything into /var/log/debug so it must have reread the configuration (otherwise /var/log/debug would have stayed empty). But I somehow still get only failed logins logged to /var/log/messages, but no successful ones. That's why I asked myself whether successful logins are reported to syslog at all or not. Arno -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+ZjabNWaBQfbZkHYRAmySAJ0cLaNfOL0Apx3LZdxuBhMn9Y+hygCfevoy TQK7SGIDbsFGUUznhmiiLVM= =K0mO -----END PGP SIGNATURE-----
On Wed, Mar 05, 2003 at 06:24:01PM +0100, Arno Luppold wrote:
It seems to me as if notifications about successful logins aren't sent to syslog.
yes. you are right. how about patching it to do so? find below a trivial patch. prove: tail -1 /var/log/messages Mar 5 19:07:09 minna login[18592]: successful login for `root' from tty2 cheers, Lars === for some of these steps you need be root. get i386/update/8.1/rpm/src/shadow-4.0.2-265.src.rpm from the suse update tree. rpm -Uhv shadow-4.0.2-265.src.rpm # # check neededforbuild, and usedforbuild. # probably you do not have all -devel packages in place. # I needed: # rpm -Uhv \ ./CD2/suse/i586/des-4.04b-501.i586.rpm \ ./CD3/suse/i586/cyrus-sasl-devel-1.5.27-256.i586.rpm \ ./CD3/suse/i586/libxcrypt-devel-1.1-44.i586.rpm # and, since we are on a _security_ list, NOT # ./CD4/suse/i586/openldap2-devel-2.1.4-26.i586.rpm # ./CD2/suse/i586/openssl-devel-0.9.6g-18.i586.rpm \ # ./CD3/suse/i586/heimdal-devel-0.4e-186.i586.rpm \ # BUT the updated (this output is from fou4s-lge ;) # openssl-devel 0.9.6g-55 (0.9.6g-18) 463kB # openldap2-devel 2.1.4-70 (2.1.4-26) 138kB # heimdal-devel 0.4e-207 (0.4e-186) 3997kB so get yourself the */update/rpm/*/openssl-devel etc. and install them. you may need updates for some other -devel or "neededforbuild" packages, too. # # now add the patch. I think this is the right place: # BTW, use at your own risk ;) # cat <<_EOF_ > /usr/src/packages/SOURCES/shadow-success-syslog.diff --- src/login.c.orig 2003-03-05 19:01:27.000000000 +0100 +++ src/login.c 2003-03-05 19:01:41.000000000 +0100 @@ -1004,6 +1004,9 @@ updwtmp (_PATH_WTMP, &ut); } + /* successful login to syslog, too */ + syslog (LOG_INFO, "successful login for `%s' from %s\n", + pwd->pw_name, hostname ? hostname : (ttyn+5) ); dolastlog (quietlog, pwd->pw_uid, tty, hostname); /* Maybe we move this to PAM ? */ _EOF_ # # tell the SPEC file, to use this patch # cd /usr/src/packages/SPECS cat << _END_OF_SPEC_PATCH_ | patch --- shadow.spec.orig 2003-03-05 18:31:32.000000000 +0100 +++ shadow.spec 2003-03-05 18:35:07.000000000 +0100 @@ -16,7 +16,7 @@ Group: System/Base Autoreqprov: on Version: 4.0.2 -Release: 265 +Release: 266 Summary: Shadow password suite Source: shadow-%{version}.tar.bz2 Source1: pam_login-3.9.tar.bz2 @@ -36,6 +36,7 @@ Patch6: pwdutils.sanitychecks.diff Patch7: pwdutils.20402.diff Patch8: shadow-4.0.2-64bit.diff +Patch9: shadow-success-syslog.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -58,6 +59,8 @@ %patch1 %patch6 %patch7 +cd ../pam_login-* +%patch9 %build libtoolize -c -f @@ -118,6 +121,8 @@ /usr/share/locale/*/LC_MESSAGES/pwdutils.mo %changelog -n shadow +* Wed Mar 5 2003 - l.g.e@web.de +- sucessful logins to syslog, too * Mon Jan 13 2003 - kukuk@suse.de - Fix seg.fault introduced through sanity check patch * Tue Nov 05 2002 - kukuk@suse.de _END_OF_SPEC_PATCH_ # # rebuilt source and binary rpm # rpm -ba --target i686-my_suse-linux shadow.spec # if you get some errors about hardlinks crossing filesystem border # here, because /var/ is not /usr/, you may want to # mkdir /usr/src/packages/TMP # chmod 1777 /usr/src/packages/TMP # echo '%_tmppath %{_topdir}/TMP' >> ~/.rpmmacros # # install the built rpm # rpm -Uhv ../RPMS/i686/shadow-4.0.2-266.i686.rpm # # thats it. # or, if you prefer, only compile rpm -bc shadow.spec search for the login binary, should be ../BUILD/pam_login*/src/login and replace that one only. or even unpack/patch/configure/make/compile/install all by hand ;)
How about using the debug-option of pam_unix.so?! ;-) Add a "debug" (without quotes...) to the line session required pam_unix.so in /etc/pam.d/login session required pam_unix.so debug Than log in your system and watch /var/log/messages... Mar 5 19:22:22 moria login: pam_unix2: session started for user david, service login On Mittwoch, 5. März 2003 19:15, Lars Ellenberg wrote:
On Wed, Mar 05, 2003 at 06:24:01PM +0100, Arno Luppold wrote:
It seems to me as if notifications about successful logins aren't sent to syslog.
yes. you are right.
how about patching it to do so? find below a trivial patch. prove: tail -1 /var/log/messages Mar 5 19:07:09 minna login[18592]: successful login for `root' from tty2
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
On Wed, Mar 05, 2003 at 07:27:54PM +0100, David Huecking wrote:
On Mittwoch, 5. März 2003 19:15, Lars Ellenberg wrote:
how about patching it to do so? find below a trivial patch. prove: tail -1 /var/log/messages Mar 5 19:07:09 minna login[18592]: successful login for `root' from tty2
How about using the debug-option of pam_unix.so?! ;-) Add a "debug" (without quotes...) to the line session required pam_unix.so in /etc/pam.d/login session required pam_unix.so debug
Than log in your system and watch /var/log/messages... Mar 5 19:22:22 moria login: pam_unix2: session started for user david, service login
I knew there was a simpler way ;)) but anyways, it was a quick one, and I was idling around ... Lars
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 05 March 2003 19:38, Lars Ellenberg wrote:
On Wed, Mar 05, 2003 at 07:27:54PM +0100, David Huecking wrote:
How about using the debug-option of pam_unix.so?! ;-) I knew there was a simpler way ;)) but anyways, it was a quick one, and I was idling around ...
Big thanx to both of you! :-) Arno -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+ZknkNWaBQfbZkHYRAhBtAJ9P3pgiDfHkHHZrbMWlsw27SSHo8wCdFSvK KI/UwvGHeUhTpZf0u9YutYc= =slkb -----END PGP SIGNATURE-----
I must say that I learned much about (re-)creating RPM-packages and that stuff (SPECs file, rpm -b...) from your mail! :-) I must say that 'till now I only built RPMs from tar.gz with checkinstall and so on... On Mittwoch, 5. März 2003 19:38, Lars Ellenberg wrote:
On Wed, Mar 05, 2003 at 07:27:54PM +0100, David Huecking wrote:
On Mittwoch, 5. März 2003 19:15, Lars Ellenberg wrote:
how about patching it to do so? find below a trivial patch. prove: tail -1 /var/log/messages Mar 5 19:07:09 minna login[18592]: successful login for `root' from tty2 [...] but anyways, it was a quick one, and I was idling around ...
Lars
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
participants (4)
-
Arno Luppold
-
David Huecking
-
Ken Schneider
-
Lars Ellenberg