We have a requirement to not log any usernames that are not in our system in logs. However, audit.log which is automatically generates logs invalid usernames when logging in attempts PAM authentication. Is there anyway to prevent this particular log without disabling the whole audit.log?
[root@nfvis audit]# pwd
/var/log/audit
[root@nfvis audit]# ls
audit.log
[root@nfvis audit]# grep stranger *
type=USER_AUTH msg=audit(1525830572.180:698): pid=19526 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:authentication grantors=? acct="stranger" hostname=172.19.125.42 addr=172.19.125.42 terminal=? res=failed'
[root@nfvis audit]#
not logging invalid usernames in audit.log
-
- Posts: 1522
- Joined: 2014/05/21 20:16:00
- Location: Central New York, USA
Re: not logging invalid usernames in audit.log
audit is not the only log that records failed login attempts.
Perhaps the "require-ers" would like a scripted report derived from the audit.log that didn't contain the failed attempts? What is it that they actually want to see?
Perhaps the "require-ers" would like a scripted report derived from the audit.log that didn't contain the failed attempts? What is it that they actually want to see?
Re: not logging invalid usernames in audit.log
Which other logs also include invalid usernames?
Currently for logs we generate on our end, invalid usernames are logged as "[Withheld] attempted logging in...". Require-ers on our end would like linux logs to comply with that as well, which I'm not sure is possible?
Currently for logs we generate on our end, invalid usernames are logged as "[Withheld] attempted logging in...". Require-ers on our end would like linux logs to comply with that as well, which I'm not sure is possible?