Configure Pluggable Authentication Modules (PAM) to audit sign-in events
This article provides a sample process for configuring Pluggable Authentication Modules (PAM) to audit SSH, Telnet, and terminal sign-in events on an unmodified Ubuntu 20.04 or 18.04 installation.
PAM configurations may vary between devices and Linux distributions.
For more information, see Login collector (event-based collector).
Before you get started, make sure that you have a Defender for IoT Micro Agent.
Configuring PAM requires technical knowledge.
For more information, see Tutorial: Install the Defender for IoT micro agent.
Modify PAM configuration to report sign-in and sign-out events
This procedure provides a sample process for configuring the collection of successful sign-in events.
Our example is based on an unmodified Ubuntu 20.04 or 18.04 installation, and the steps in this process may differ for your system.
Locate the following files:
Append the following lines to the end of each file:
// report login session [default=ignore] pam_exec.so type=open_session /usr/libexec/defender_iot_micro_agent/pam/pam_audit.sh 0 // report logout session [default=ignore] pam_exec.so type=close_session /usr/libexec/defender_iot_micro_agent/pam/pam_audit.sh 1
Modify the PAM configuration to report sign-in failures
This procedure provides a sample process for configuring the collection of failed sign-in attempts.
This example in this procedure is based on an unmodified Ubuntu 18.04 or 20.04 installation. The files and commands listed below may differ per configuration or as a result of modifications.
/etc/pam.d/common-authfile and look for the following lines:
# here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so
This section authenticates via the
pam_unix.somodule. In case of authentication failure, this section continues to the
pam_deny.somodule to prevent access.
Replace the indicated lines of code with the following:
# here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_exec.so quiet /usr/libexec/defender_iot_micro_agent/pam/pam_audit.sh 2 auth [success=1 default=ignore] pam_echo.so # here's the fallback if no module succeeds auth requisite pam_deny.so
In this modified section, PAM skips one module to the
pam_echo.somodule, and then skips the
pam_deny.somodule and authenticates successfully.
In case of failure, PAM continues to report the sign-in failure to the agent log file, and then skips one module to the
pam_deny.somodule, which blocks access.
Validate your configuration
This procedure describes how to verify that you've configured PAM correctly to audit sign-in events.
Sign in to the device using SSH, and then sign-out.
Sign in to the device using SSH, using incorrect credentials to create a failed sign-in event.
Access your device and run the following command:
Verify that lines similar to the following are logged, for a successful sign-in (
open_session), sign-out (
close_session), and a sign-in failure (
2021-10-31T18:10:31+02:00,16356631,2589842,open_session,sshd,user,192.168.0.101,ssh,0 2021-10-31T18:26:19+02:00,16356719,199164,close_session,sshd, user,192.168.0.201,ssh,1 2021-10-28T17:44:13+03:00,163543223,3572596,auth,sshd,user,184.108.40.206,ssh,2
Repeat the verification procedure with Telnet and terminal connections.
For more information, see Micro agent event collection.