Pluggable Authentication Modules (PAM)

Linux Pluggable Authentication Modules (PAM) is a suite of libraries that allows a Linux system administrator to configure methods to authenticate users. It provides a flexible and centralized way to switch authentication methods for secured applications by using configuration files instead of changing application code. There are Linux PAM libraries allowing authentication using methods such as local passwords, LDAP, or fingerprint readers. Linux PAM is evolved from the Unix Pluggable Authentication Modules architecture.

These PAM log messages are logged by the linux kernel to /var/log/auth.log and must be read from there. Syslog-ng or similar should be configured to read log messages from this file and forward those messages to the LogZilla server.

Rule Function

The purpose of this rule is to set various user tags for the fields in the PAM log messages.

Vendor Documentation

• Linux-PAM Website
• Linux PAM - Wikipedia
• An introduction to Pluggable Authentication Modules (PAM) in Linux

Log Source Details

Item	Value
Vendor	any linux distribution
Device Type	linux OS
Supported Software Version(s)	any distribution with PAM and syslog-ng
Collection Method	Syslog
Configurable Log Output?	no
Log Source Type	linux syslog
Exceptions	N/A

Currently Supported Log Types

The log format is a standard linux kernel syslog log message. There are no key-value pairs and minimal space-separated values. The log message should be in the following format:

pam_unix(<process name>:<context>): <authentication message>

The <authentication message> should be in one of the following two formats:

session <action> for user <user>

authentication failure; logname= uid=0
euid=0 tty=<tty> ruser= rhost=<src host>  user=<user>

Parsed Metadata Fields

The PAM log messages do not have key-value pairs and fixed fields are minimal. The data values parsed from the PAM message are:

Tagged	Field	Tag Name	Example	Description
	<process name>		sudo	process name initiating the PAM request
☑	<action>	PAM Action	opened	session opened or closed
☑	<user>	PAM User Tracking	root	user account being authenticated
☑	<tty>	PAM tty	ssh	terminal originating PAM request
☑	<rhost>	PAM Remote Host	11.22.33.44	host originating PAM request
☑	<ruser>	PAM Remote User	vmuser	user originating PAM request

High-Cardinality (HC) Tags

• PAM Remote Host

Log Examples

Feb  3 19:08:47 ubuntu-server-vm login[708]: pam_unix(login:session): session opened for user vmuser by LOGIN(uid=0)
Feb  3 19:08:47 ubuntu-server-vm systemd[1019]: pam_unix(systemd-user:session): session opened for user vmuser by (uid=0)
Feb  3 19:14:06 ubuntu-server-vm sudo[2302]: pam_unix(sudo:session): session opened for user root by vmuser(uid=0)
Feb  3 19:14:10 ubuntu-server-vm sudo[2302]: pam_unix(sudo:session): session closed for user root
Feb  3 20:09:30 ubuntu-server-vm sshd[4310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.250.2  user=vmuser
Feb  3 20:13:31 ubuntu-server-vm sshd[4338]: pam_unix(sshd:session): session opened for user vmuser by (uid=0)