Date: Fri, 14 Jan 2005 16:41:28 -0800 From: Sean Murphy <smurphy@calarts.edu> To: freebsd-questions@freebsd.org Subject: Re: passwd logging Message-ID: <41E866B8.4050702@calarts.edu> In-Reply-To: <41E86149.4040801@mac.com> References: <41E85835.6030705@calarts.edu> <41E859B9.4080009@mac.com> <41E85E2A.7040907@calarts.edu> <41E86149.4040801@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > Sean Murphy wrote: > >> Chuck Swiger wrote: >> >>> Look at syslogd (/etc/syslog.conf) and /var/log/security or >>> /var/log/auth.log, I suspect that what you want to see is already >>> being logged there. >>> >> I checked out syslog.conf and did not see what to uncomment to add >> the passwd logging it currently logs bad logins and su but not >> successful changed passwds then I had a look at /var/log/security but >> nothing was in that file. hmm would I have to add a line to the >> syslog.conf file to log this type of activity? > > > Take a look at the end of /usr/src/usr.bin/passwd/local_passwd.c: > > [ ... ] > if (!pw_mkdb(uname)) > pw_error((char *)NULL, 0, 1); > #ifdef LOGGING > syslog(LOG_DEBUG, "user %s changed their local password\n", > uname); > #endif > return (0); > } > > This message is being logged at DEBUG priority level, so I believe you > should change the line in /etc/syslog.conf from "auth.info" to > "auth.debug" and restart syslogd. > > Or you could adjust this code to log using a higher priority (or write > the info to a file directly, or whatever else you like), and build and > reinstall the passwd binary with your changes. > tried the syslog changed it to auth.debug restarted the daemon tried changing my password but did not log the succsessful change. here is my syslog.conf file # $FreeBSD: src/etc/syslog.conf,v 1.13.2.4 2003/05/12 13:59:23 yar Exp $ # # Spaces ARE valid field separators in this file. However, # other *nix-like systems still insist on using tabs as field # separators. If you are sharing this file between systems, you # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manpage. *.err;kern.debug;auth.notice;mail.crit /dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.debug;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs cron.* /var/log/cron *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log #console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log # touch /var/log/all.log and chmod it to mode 600 before it will work #*.* /var/log/all.log # uncomment this to enable logging to a remote loghost named loghost #*.* @loghost # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice !startslip *.* /var/log/slip.log !ppp *.* /var/log/ppp.log anything wrong with this conf?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E866B8.4050702>