Privileged Services
Facility Keyword |
Software Process |
Log File |
---|---|---|
|
See list that follows |
|
The following privileged services log messages to the secure log file with a software process identifier if shown.
>useradd[pid]
>chage[pid]
>passwd
>usermod[pid]
>login
>groupadd[pid]
Expected Log Messages
useradd
2012 Feb 29 12:05:01 myLuna authpriv info useradd[1234]: new user: name=recover, UID=0, GID=0, home=/home/recover, shell=/usr/lunasa/bin/recover 2012 Feb 29 12:05:01 myLuna authpriv info useradd[1234]: new user: name=<admin | monitor | operator>, UID=0, GID=0, home=/home/admin, shell=/usr/lunasa/lush/lush 2012 Feb 29 12:05:01 myLuna authpriv info useradd[1234]: new user: name=mysql, UID=500, GID=500, home=/usr/local/mysql, shell=/sbin/nologin
These messages indicate that the Linux utility useradd(1) successfully created accounts for the identified user (e.g., recover, admin, monitor, operatory or mysql).
chage
2012 Feb 29 12:05:01 myLuna authpriv info chage[1234]: changed password expiry for <username>
This message indicates that the Linux utility chage(1) successfully changed the number of days between password changes and the date of the last password change for <username>. <username> is one of “admin”, “operator”, “monitor” or a user created by an administrator.
passwd
2012 Feb 29 12:05:01 myLuna authpriv notice passwd: pam_unix(passwd:chauthtok): password changed for admin
This message indicates that the Linux utility passwd(1) successfully updated the admin user’s authentication token.
usermod
2012 Feb 29 12:05:01 myLuna authpriv info authpriv info usermod[1234]: change user '<username>' password
This message indicates that the Linux utility usermod(1) successfully updated the login information for <username>. <username> is one of “admin”, “operator”, “monitor” or “audit.”
login
2012 Feb 29 12:05:01 myLuna authpriv authpriv info login: pam_unix(login:session): session opened for user < admin | recover> by LOGIN(uid=0) 2012 Feb 29 12:05:01 myLuna authpriv authpriv info login: pam_unix(login:session): session closed for user <admin | recover> 2012 Feb 29 12:05:01 myLuna authpriv authpriv info login: DIALUP AT ttyS0 BY <admin | recover>
The first two messages indicate that the Linux utility login(1) successfully established a new session with the Luna Network HSM appliance or terminated a session. The third message indicates that the session is via the serial port on the front console of the appliance.
groupadd
2012 Feb 29 12:05:01 myLuna authpriv authpriv info groupadd[2558]: new group: name=<uucp | mysql>, GID=<14 | 500>
This message indicates that the Linux utility groupadd(1) successfully created a new group definition with the GID shown. The <gid> for uucp is 14; for mysql, 500.
Unexpected Log Messages
Under normal circumstances, you should not see any of these log messages. If you do, please contact Thales Technical Support to report the message and seek guidance on what to do next.
login
2012 Feb 29 12:05:01 myLuna authpriv authpriv alert login: pam_unix(login:auth): check pass; user unknown 2012 Feb 29 12:05:01 myLuna authpriv authpriv notice login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=ttyS0 ruser=<user name> rhost=192.168.0.100 2012 Feb 29 12:05:01 myLuna authpriv authpriv crit login: pam_succeed_if(login:auth): error retrieving information about user <user name> 2012 Feb 29 12:05:01 myLuna authpriv authpriv notice login: FAILED LOGIN 1 FROM (null) FOR <user name>, User not known to the underlying authentication module 2012 Feb 29 12:05:01 myLuna authpriv authpriv alert login: PAM service(login) ignoring max retries; 4 > 3 2012 Feb 29 12:05:01 myLuna authpriv authpriv err login: Authentication failure
These messages indicate failure on the part of an administrator to login to the Luna Network HSM appliance. The first four messages indicate that the login attempt was with a username unknown to the appliance. The fifth message indicates that the threshold number of failed login attempts has been reached or exceeded. The last message is the Luna IS-specific message in place of the second message above.