not logging invalid usernames in audit.log

General support questions
Post Reply
irkuo
Posts: 2
Joined: 2018/06/26 18:19:31

not logging invalid usernames in audit.log

Post by irkuo » 2018/06/29 21:19:38

We have a requirement to not log any usernames that are not in our system in logs. However, audit.log which is automatically generates logs invalid usernames when logging in attempts PAM authentication. Is there anyway to prevent this particular log without disabling the whole audit.log?


[root@nfvis audit]# pwd
/var/log/audit
[root@nfvis audit]# ls
audit.log
[root@nfvis audit]# grep stranger *
type=USER_AUTH msg=audit(1525830572.180:698): pid=19526 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:authentication grantors=? acct="stranger" hostname=172.19.125.42 addr=172.19.125.42 terminal=? res=failed'
[root@nfvis audit]#

lightman47
Posts: 662
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: not logging invalid usernames in audit.log

Post by lightman47 » 2018/06/29 22:16:32

audit is not the only log that records failed login attempts.

Perhaps the "require-ers" would like a scripted report derived from the audit.log that didn't contain the failed attempts? What is it that they actually want to see?
"Please solve your problems in advance so we can help you more"
- unknown

irkuo
Posts: 2
Joined: 2018/06/26 18:19:31

Re: not logging invalid usernames in audit.log

Post by irkuo » 2018/07/09 22:38:28

Which other logs also include invalid usernames?

Currently for logs we generate on our end, invalid usernames are logged as "[Withheld] attempted logging in...". Require-ers on our end would like linux logs to comply with that as well, which I'm not sure is possible?

Post Reply