passwd logging
Sean Murphy
smurphy at calarts.edu
Fri Jan 14 16:41:31 PST 2005
Chuck Swiger wrote:
> Sean Murphy wrote:
>
>> Chuck Swiger wrote:
>>
>>> Look at syslogd (/etc/syslog.conf) and /var/log/security or
>>> /var/log/auth.log, I suspect that what you want to see is already
>>> being logged there.
>>>
>> I checked out syslog.conf and did not see what to uncomment to add
>> the passwd logging it currently logs bad logins and su but not
>> successful changed passwds then I had a look at /var/log/security but
>> nothing was in that file. hmm would I have to add a line to the
>> syslog.conf file to log this type of activity?
>
>
> Take a look at the end of /usr/src/usr.bin/passwd/local_passwd.c:
>
> [ ... ]
> if (!pw_mkdb(uname))
> pw_error((char *)NULL, 0, 1);
> #ifdef LOGGING
> syslog(LOG_DEBUG, "user %s changed their local password\n",
> uname);
> #endif
> return (0);
> }
>
> This message is being logged at DEBUG priority level, so I believe you
> should change the line in /etc/syslog.conf from "auth.info" to
> "auth.debug" and restart syslogd.
>
> Or you could adjust this code to log using a higher priority (or write
> the info to a file directly, or whatever else you like), and build and
> reinstall the passwd binary with your changes.
>
tried the syslog changed it to auth.debug restarted the daemon tried
changing my password but did not log the succsessful change. here is my
syslog.conf file
# $FreeBSD: src/etc/syslog.conf,v 1.13.2.4 2003/05/12 13:59:23 yar Exp $
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
*.err;kern.debug;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
/var/log/messages
security.* /var/log/security
auth.debug;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
cron.* /var/log/cron
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!startslip
*.* /var/log/slip.log
!ppp
*.* /var/log/ppp.log
anything wrong with this conf?
More information about the freebsd-questions
mailing list