說明

這章紀錄一下ubuntu下驗證登入等高權行為產生的日誌

作法

登入畫面解鎖

ubuntu 預設使用GDM(GNOME Display Manager)圖形化介面

Oct  7 21:10:15 ubuntu gdm-password]: gkr-pam: unlocked login keyring

Sudo 日誌

sudo提權失敗

本機主機指令

buntu@ubuntu:/$ sudo su
[sudo] password for ubuntu: 
Sorry, try again.

本機主機日誌
使用ubuntu uid1000 這個帳號執行驗證 ubuntu:x:1000:1000:ubuntu

Oct  7 20:58:57 ubuntu sudo: pam_unix(sudo:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/7 ruser=ubuntu rhost=  user=ubuntu

ctrl + c中斷後增加的日誌，1次登入失敗(1 incorrect password attempt)

Oct  7 21:02:14 ubuntu sudo: pam_unix(sudo:auth): conversation failed
Oct  7 21:02:14 ubuntu sudo: pam_unix(sudo:auth): auth could not identify password for [ubuntu]
Oct  7 21:02:14 ubuntu sudo:   ubuntu : 1 incorrect password attempt ; TTY=pts/7 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/su

sudo提權成功

本機主機指令

ubuntu@ubuntu:/$ sudo su
[sudo] password for ubuntu: 
root@ubuntu:/# 

本機主機日誌
並不會出現authentication成功成功的日誌，只記錄command，並(sudo:session)啟動一個新的終端

Oct  7 20:43:53 ubuntu sudo:   ubuntu : TTY=pts/5 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/su
Oct  7 20:43:53 ubuntu sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Oct  7 20:43:53 ubuntu su: (to root) root on pts/6
Oct  7 20:43:53 ubuntu su: pam_unix(su:session): session opened for user root(uid=0) by ubuntu(uid=0)

離開sudo

本機主機指令

root@ubuntu:/# exit
exit
ubuntu@ubuntu:/$ 

沒有紀錄是哪個TTY離開
本機主機日誌

Oct  7 20:56:27 ubuntu su: pam_unix(su:session): session closed for user root
Oct  7 20:56:27 ubuntu sudo: pam_unix(sudo:session): session closed for user root

SSH 遠端登入

輸入密碼錯誤(有這個帳號)

本機主機指令

root@training-virtual-machine:/home/training# ssh test@192.168.190.137
test@192.168.190.137's password: 
Permission denied, please try again.

遠端主機日誌

Oct  7 21:38:52 ubuntu sshd[3588]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.190.135  user=ubuntu
Oct  7 21:38:54 ubuntu sshd[3588]: Failed password for ubuntu from 192.168.190.135 port 34434 ssh2

輸入密碼錯誤(沒有這個帳號)

遠端主機日誌
多出現Invalid user及check pass; user unknown訊息

Oct  7 20:52:02 ubuntu sshd[3059]: Invalid user test from 192.168.190.135 port 34290
Oct  7 20:52:05 ubuntu sshd[3059]: pam_unix(sshd:auth): check pass; user unknown
Oct  7 20:52:05 ubuntu sshd[3059]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.190.135 
Oct  7 20:52:07 ubuntu sshd[3059]: Failed password for invalid user test from 192.168.190.135 port 34290 ssh2

輸入密碼正確

本機主機指令

training@training-virtual-machine:~$ ssh ubuntu@192.168.190.137
ubuntu@192.168.190.137's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.8.0-40-generic x86_64)

遠端主機日誌
有Accepted password的日誌

Oct  7 21:43:18 ubuntu sshd[3596]: Accepted password for ubuntu from 192.168.190.135 port 34438 ssh2
Oct  7 21:43:18 ubuntu sshd[3596]: pam_unix(sshd:session): session opened for user ubuntu(uid=1000) by (uid=0)
Oct  7 21:43:18 ubuntu systemd-logind[838]: New session 9 of user ubuntu.

離開遠端連線

本機主機指令

ubuntu@ubuntu:~$ exit
logout
Connection to 192.168.190.137 closed.
training@training-virtual-machine:~$ 

遠端主機日誌
會紀錄是哪個帳號及Session離開

Oct  7 21:47:30 ubuntu sshd[3634]: Received disconnect from 192.168.190.135 port 34438:11: disconnected by user
Oct  7 21:47:30 ubuntu sshd[3634]: Disconnected from user ubuntu 192.168.190.135 port 34438
Oct  7 21:47:30 ubuntu sshd[3596]: pam_unix(sshd:session): session closed for user ubuntu
Oct  7 21:47:30 ubuntu systemd-logind[838]: Session 9 logged out. Waiting for processes to exit.
Oct  7 21:47:30 ubuntu systemd-logind[838]: Removed session 9.

REF

https://askubuntu.com/questions/465544/why-do-i-see-a-cron-session-opening-and-closing-every-hour-in-var-log-auth-log