Pluggable Authentication Modules (PAM)
Linux Pluggable Authentication Modules (PAM) is a suite of libraries that allows a Linux system administrator to configure methods to authenticate users. It provides a flexible and centralized way to switch authentication methods for secured applications by using configuration files instead of changing application code. There are Linux PAM libraries allowing authentication using methods such as local passwords, LDAP, or fingerprint readers. Linux PAM is evolved from the Unix Pluggable Authentication Modules architecture.
These PAM log messages are logged by the linux kernel to /var/log/auth.log and must be read from there. Syslog-ng or similar should be configured to read log messages from this file and forward those messages to the LogZilla server.
Rule Function
The purpose of this rule is to set various user tags for the fields in the PAM log messages.
Vendor Documentation
- Linux-PAM Website
- Linux PAM - Wikipedia
- An introduction to Pluggable Authentication Modules (PAM) in Linux
Log Source Details
| Item | Value |
|---|---|
| Vendor | any linux distribution |
| Device Type | linux OS |
| Supported Software Version(s) | any distribution with PAM and syslog-ng |
| Collection Method | Syslog |
| Configurable Log Output? | no |
| Log Source Type | linux syslog |
| Exceptions | N/A |
Currently Supported Log Types
The log format is a standard linux kernel syslog log message. There are no key-value pairs and minimal space-separated values. The log message should be in the following format:
The <authentication message> should be in one of the following two formats:
Parsed Metadata Fields
The PAM log messages do not have key-value pairs and fixed fields are minimal. The data values parsed from the PAM message are:
| Tagged | Field | Tag Name | Example | Description |
|---|---|---|---|---|
<process name> |
sudo |
process name initiating the PAM request | ||
| ☑ | <action> |
PAM Action |
opened |
session opened or closed |
| ☑ | <user> |
PAM User Tracking |
root |
user account being authenticated |
| ☑ | <tty> |
PAM tty |
ssh |
terminal originating PAM request |
| ☑ | <rhost> |
PAM Remote Host |
11.22.33.44 |
host originating PAM request |
| ☑ | <ruser> |
PAM Remote User |
vmuser |
user originating PAM request |
High-Cardinality (HC) Tags
PAM Remote Host
Log Examples
Feb 3 19:08:47 ubuntu-server-vm login[708]: pam_unix(login:session): session opened for user vmuser by LOGIN(uid=0)
Feb 3 19:08:47 ubuntu-server-vm systemd[1019]: pam_unix(systemd-user:session): session opened for user vmuser by (uid=0)
Feb 3 19:14:06 ubuntu-server-vm sudo[2302]: pam_unix(sudo:session): session opened for user root by vmuser(uid=0)
Feb 3 19:14:10 ubuntu-server-vm sudo[2302]: pam_unix(sudo:session): session closed for user root
Feb 3 20:09:30 ubuntu-server-vm sshd[4310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.250.2 user=vmuser
Feb 3 20:13:31 ubuntu-server-vm sshd[4338]: pam_unix(sshd:session): session opened for user vmuser by (uid=0)