Re: passwd logging

[Chuck Swiger]

Sean Murphy wrote:
I want to start logging to a file any succseses or failures when a user 
envokes the passwd command.  I came across editing the pam.conf file but 
I don't know what to add.  Can anyone help?
Look at syslogd (/etc/syslog.conf) and /var/log/security or /var/log/auth.log, 
I suspect that what you want to see is already being logged there.

--
-Chuck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: passwd logging

[Sean Murphy]

I checked out syslog.conf and did not see what to uncomment to add the 
passwd logging it currently logs bad logins and su but not successful 
changed passwds then I had a look at /var/log/security but nothing was 
in that file. hmm  would I have to add a line to the syslog.conf file to 
log this type of activity?

Thanks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: passwd logging

[Chuck Swiger]

Sean Murphy wrote:
Chuck Swiger wrote:
Look at syslogd (/etc/syslog.conf) and /var/log/security or 
/var/log/auth.log, I suspect that what you want to see is already 
being logged there.

I checked out syslog.conf and did not see what to uncomment to add the 
passwd logging it currently logs bad logins and su but not successful 
changed passwds then I had a look at /var/log/security but nothing was 
in that file. hmm  would I have to add a line to the syslog.conf file to 
log this type of activity?
Take a look at the end of /usr/src/usr.bin/passwd/local_passwd.c:
[ ... ]
if (!pw_mkdb(uname))
pw_error((char *)NULL, 0, 1);
#ifdef LOGGING
syslog(LOG_DEBUG, user %s changed their local password\n, uname);
#endif
return (0);
}
This message is being logged at DEBUG priority level, so I believe you should 
change the line in /etc/syslog.conf from auth.info to auth.debug and 
restart syslogd.

Or you could adjust this code to log using a higher priority (or write the 
info to a file directly, or whatever else you like), and build and reinstall 
the passwd binary with your changes.

--
-Chuck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: passwd logging

[Sean Murphy]

Chuck Swiger wrote:
Sean Murphy wrote:
Chuck Swiger wrote:
Look at syslogd (/etc/syslog.conf) and /var/log/security or 
/var/log/auth.log, I suspect that what you want to see is already 
being logged there.

I checked out syslog.conf and did not see what to uncomment to add 
the passwd logging it currently logs bad logins and su but not 
successful changed passwds then I had a look at /var/log/security but 
nothing was in that file. hmm  would I have to add a line to the 
syslog.conf file to log this type of activity?

Take a look at the end of /usr/src/usr.bin/passwd/local_passwd.c:
[ ... ]
if (!pw_mkdb(uname))
pw_error((char *)NULL, 0, 1);
#ifdef LOGGING
syslog(LOG_DEBUG, user %s changed their local password\n, 
uname);
#endif
return (0);
}

This message is being logged at DEBUG priority level, so I believe you 
should change the line in /etc/syslog.conf from auth.info to 
auth.debug and restart syslogd.

Or you could adjust this code to log using a higher priority (or write 
the info to a file directly, or whatever else you like), and build and 
reinstall the passwd binary with your changes.

tried the syslog changed it to auth.debug restarted the daemon tried 
changing my password but did not log the succsessful change. here is my 
syslog.conf file

# $FreeBSD: src/etc/syslog.conf,v 1.13.2.4 2003/05/12 13:59:23 yar Exp $
#
#   Spaces ARE valid field separators in this file. However,
#   other *nix-like systems still insist on using tabs as field
#   separators. If you are sharing this file between systems, you
#   may want to use only tabs as field separators here.
#   Consult the syslog.conf(5) manpage.
*.err;kern.debug;auth.notice;mail.crit  /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   
/var/log/messages
security.*  /var/log/security
auth.debug;authpriv.info/var/log/auth.log
mail.info   /var/log/maillog
lpr.info/var/log/lpd-errs
cron.*  /var/log/cron
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*/var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*@loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err  /var/log/news/news.err
# news.notice   /var/log/news/news.notice
!startslip
*.* /var/log/slip.log
!ppp
*.* /var/log/ppp.log

anything wrong with this conf?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]