Privileged Services

Facility Keyword

Software Process

Log File

Authpriv

See list that follows

secure

The following privileged services log messages to the secure log file with a software process identifier if shown.

>useradd[pid]

>chage[pid]

>passwd

>usermod[pid]

>login

>groupadd[pid]

Expected Log Messages

useradd

2012 Feb 29 12:05:01 myLuna  authpriv info  useradd[1234]: new user: name=recover, UID=0, GID=0, home=/home/recover, shell=/usr/lunasa/bin/recover
2012 Feb 29 12:05:01 myLuna  authpriv info  useradd[1234]: new user: name=<admin | monitor | operator>, UID=0, GID=0, home=/home/admin, shell=/usr/lunasa/lush/lush
2012 Feb 29 12:05:01 myLuna  authpriv info  useradd[1234]: new user: name=mysql, UID=500, GID=500, home=/usr/local/mysql, shell=/sbin/nologin

These messages indicate that the Linux utility useradd(1) successfully created accounts for the identified user (e.g., recover, admin, monitor, operatory or mysql).

chage

2012 Feb 29 12:05:01 myLuna  authpriv info  chage[1234]: changed password expiry for <username>

This message indicates that the Linux utility chage(1) successfully changed the number of days between password changes and the date of the last password change for <username>. <username> is one of “admin”, “operator”, “monitor” or a user created by an administrator.

passwd

2012 Feb 29 12:05:01 myLuna  authpriv notice  passwd: pam_unix(passwd:chauthtok): password changed for admin

This message indicates that the Linux utility passwd(1) successfully updated the admin user’s authentication token.

usermod

2012 Feb 29 12:05:01 myLuna  authpriv info  authpriv info  usermod[1234]: change user '<username>' password

This message indicates that the Linux utility usermod(1) successfully updated the login information for <username>. <username> is one of “admin”, “operator”, “monitor” or “audit.”

login

2012 Feb 29 12:05:01 myLuna  authpriv  authpriv info  login: pam_unix(login:session): session opened for user < admin | recover>  by LOGIN(uid=0)
2012 Feb 29 12:05:01 myLuna  authpriv authpriv info  login: pam_unix(login:session): session closed for user <admin | recover>
2012 Feb 29 12:05:01 myLuna  authpriv authpriv info  login: DIALUP AT ttyS0 BY <admin | recover>

The first two messages indicate that the Linux utility login(1) successfully established a new session with the SafeNet Luna Network HSM appliance or terminated a session. The third message indicates that the session is via the serial port on the front console of the appliance.

groupadd

2012 Feb 29 12:05:01 myLuna  authpriv authpriv info  groupadd[2558]: new group: name=<uucp | mysql>, GID=<14 | 500>

This message indicates that the Linux utility groupadd(1) successfully created a new group definition with the GID shown. The <gid> for uucp is 14; for mysql, 500.

Unexpected Log Messages

Under normal circumstances, you should not see any of these log messages. If you do, please contact Thales Group Technical Support to report the message and seek guidance on what to do next.

login

2012 Feb 29 12:05:01 myLuna  authpriv authpriv alert  login: pam_unix(login:auth): check pass; user unknown
2012 Feb 29 12:05:01 myLuna  authpriv authpriv notice  login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=ttyS0 ruser=<user name> rhost=192.168.0.100
2012 Feb 29 12:05:01 myLuna  authpriv authpriv crit  login: pam_succeed_if(login:auth): error retrieving information about user <user name>
2012 Feb 29 12:05:01 myLuna  authpriv authpriv notice  login: FAILED LOGIN 1 FROM (null) FOR <user name>, User not known to the underlying authentication module
2012 Feb 29 12:05:01 myLuna  authpriv authpriv alert  login: PAM service(login) ignoring max retries; 4 > 3
2012 Feb 29 12:05:01 myLuna  authpriv authpriv err  login: Authentication failure

These messages indicate failure on the part of an administrator to login to the SafeNet Luna Network HSM appliance. The first four messages indicate that the login attempt was with a username unknown to the appliance. The fifth message indicates that the threshold number of failed login attempts has been reached or exceeded. The last message is the Luna IS-specific message in place of the second message above.