Environment
Privileged Account Manager
Situation
During a PAM SSH Relay session, a syslog entry is created in the PAM SSH Relay server.
For example:
User starts a SSH Relay session: # ssh -t -p2222 <user>@<pam_ssh_relay> <privileged_account>@<target_server>
The sample entry in the SSH Relay server's system log(Eg:/var/log/messages) is as follows:
sshd[2651]: Failed password for root from <userClientIP> port 56415 ssh2
sshd[2651]: Accepted password for root from <userClientIP> port 56415 ssh2
This log entry is misleading to admins and auditors, as the user did not attempt root login on the SSH Relay server. And, it is difficult for an auditor to differentiate that these logs are from the PAM sshd server and not by the user directly accessing the system. To overcome this, the SSH Relay logs must be separated from system logs.
User starts a SSH Relay session: # ssh -t -p2222 <user>@<pam_ssh_relay> <privileged_account>@<target_server>
The sample entry in the SSH Relay server's system log(Eg:/var/log/messages) is as follows:
sshd[2651]: Failed password for root from <userClientIP> port 56415 ssh2
sshd[2651]: Accepted password for root from <userClientIP> port 56415 ssh2
This log entry is misleading to admins and auditors, as the user did not attempt root login on the SSH Relay server. And, it is difficult for an auditor to differentiate that these logs are from the PAM sshd server and not by the user directly accessing the system. To overcome this, the SSH Relay logs must be separated from system logs.
Resolution
By default, the PAM SSH Relay sends logging information to the system logs using the log level INFO and system log facility AUTH. This can be silenced by changing the LogLevel to QUIET in the sshd_config. However, to differentiate the PAM SSH Relay logs from that of the system logs, the configuration parameter SyslogFacility can be utilized.
While there are many approaches to create separate logs, the following approach sends PAM SSH Relay events to a new custom log and excludes them from the appropriate system logs:
- Configure PAM sshd_config (/opt/netiq/npum/service/local/sshrelay/etc/sshd_config):
- Add the SyslogFacility option to log a custom facility:
SyslogFacility LOCAL0
Note: Feel free to use whichever level needed, but make sure to use the same in the below configuration. Other possible values of SyslogFacility can be found in appropriate documentation: https://man.openbsd.org/ssh_config.5#SyslogFacility. - Restart PAM service.
- Configure Syslog:
Note: Please consult the appropriate vendor documentation for the syslog service that is used on the system. In this example, syslog-ng is being used. Configuration details may differ in other implementations of syslog. - Create a custom filter, log file and log rule to handle the pam sshd events by adding the following to the syslog configuration file, in this case /etc/syslog-ng/syslog-ng.conf:
# Custom PAM SSHD
Note: Please add this block after the global options and src declarations, but before the filter definitions. Also, the facility code being used in this example is 'local0' with a new log file set to "/var/log/pamsshd".
filter f_pamsshd { program(sshd) and facility(local0); };
destination pamsshd { file("/var/log/pamsshd"); };
log { source(src); filter(f_pamsshd); destination(pamsshd); }; - To prevent these particular messages from appearing in the syslog (i.e. /var/log/messages, /var/log/localmessages), please configure the appropriate filters to exclude this custom pamsshd filter. For example:
- Identify the log(s) we should exclude and the appropriate filters used by them. In this case, "/var/log/messages" and "/var/log/localmessages" use the f_messages and f_local filters.
- Configure those already-existing filters to exclude our custom pamsshd filter, for example:
filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_pamsshd); };
...
filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7)
and not filter(f_pamsshd); }; - Verify the syntax is valid with our new customization:
syslog-ng -s -f /etc/syslog-ng/syslog-ng.conf - Restart syslog, for example: service syslog restart
- Observe that PAM sshd messages are routed by syslog to the configured log file and excluded from the normal syslog(s).
Note: Please consider configuring appropriate log rotation and/or expiration as needed. Additionally one another parameter, 'LogLevel' can be used to control the verbosity of logging.
Cause
By default sshd sends logging information to the system logs using the log level INFO and the system log facility AUTH. This also applies to PAM SSH Relay.