SLES server won't log login information by default
This document (7002758) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 10
Situation
On a SLES11SP1 server (fully patched), successful user logins are not recorded by default, failed login attempts are.
Resolution
There are several ways to fix this, here are a couple of them (this is not an exhaustive list):
1. Install auditd.
If you install auditd, by default it will log login information to /var/log/audit/audit.log.
NOTE: If you install auditd, it doesn't enable logging by default, you must use the command 'auditctl -e1' each time you restart the server or auditd, or you can put the '-e1' in the /etc/audit/audit.rules file and it will be persistent across boots.
2. Configure pam to log authentication information:
If you edit the /etc/pam.d/common-sessions file, and add 'session required pam_warn.so' at the bottom, this will send authentication information to the /var/log/messages file.
Note: If you are using NetIQ Sentinel, there is a script included (wtmpsetup) in the SLES Collector Pack which will monitor the wtmp and btmp files for logins and generate a suslog message to record the activity.
1. Install auditd.
If you install auditd, by default it will log login information to /var/log/audit/audit.log.
NOTE: If you install auditd, it doesn't enable logging by default, you must use the command 'auditctl -e1' each time you restart the server or auditd, or you can put the '-e1' in the /etc/audit/audit.rules file and it will be persistent across boots.
2. Configure pam to log authentication information:
If you edit the /etc/pam.d/common-sessions file, and add 'session required pam_warn.so' at the bottom, this will send authentication information to the /var/log/messages file.
Note: If you are using NetIQ Sentinel, there is a script included (wtmpsetup) in the SLES Collector Pack which will monitor the wtmp and btmp files for logins and generate a suslog message to record the activity.
Cause
By default there is nothing implemented to log or audit authentication information (logins).
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7002758
- Creation Date: 02-Apr-2012
- Modified Date:04-Oct-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
