From owner-freebsd-questions@FreeBSD.ORG Sat Jan 15 00:41:31 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C88B16A4CE for ; Sat, 15 Jan 2005 00:41:31 +0000 (GMT) Received: from muse.calarts.edu (muse.calarts.edu [198.182.157.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8972D43D5A for ; Sat, 15 Jan 2005 00:41:30 +0000 (GMT) (envelope-from smurphy@calarts.edu) Received: from [172.24.24.105] (rfc1918-address.calarts.edu [172.24.24.105] (may be forged)) by muse.calarts.edu (8.11.7p1+Sun/8.11.7) with ESMTP id j0F0fTw26491 for ; Fri, 14 Jan 2005 16:41:29 -0800 (PST) Message-ID: <41E866B8.4050702@calarts.edu> Date: Fri, 14 Jan 2005 16:41:28 -0800 From: Sean Murphy User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <41E85835.6030705@calarts.edu> <41E859B9.4080009@mac.com> <41E85E2A.7040907@calarts.edu> <41E86149.4040801@mac.com> In-Reply-To: <41E86149.4040801@mac.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: passwd logging X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jan 2005 00:41:31 -0000 Chuck Swiger wrote: > Sean Murphy wrote: > >> Chuck Swiger wrote: >> >>> Look at syslogd (/etc/syslog.conf) and /var/log/security or >>> /var/log/auth.log, I suspect that what you want to see is already >>> being logged there. >>> >> I checked out syslog.conf and did not see what to uncomment to add >> the passwd logging it currently logs bad logins and su but not >> successful changed passwds then I had a look at /var/log/security but >> nothing was in that file. hmm would I have to add a line to the >> syslog.conf file to log this type of activity? > > > Take a look at the end of /usr/src/usr.bin/passwd/local_passwd.c: > > [ ... ] > if (!pw_mkdb(uname)) > pw_error((char *)NULL, 0, 1); > #ifdef LOGGING > syslog(LOG_DEBUG, "user %s changed their local password\n", > uname); > #endif > return (0); > } > > This message is being logged at DEBUG priority level, so I believe you > should change the line in /etc/syslog.conf from "auth.info" to > "auth.debug" and restart syslogd. > > Or you could adjust this code to log using a higher priority (or write > the info to a file directly, or whatever else you like), and build and > reinstall the passwd binary with your changes. > tried the syslog changed it to auth.debug restarted the daemon tried changing my password but did not log the succsessful change. here is my syslog.conf file # $FreeBSD: src/etc/syslog.conf,v 1.13.2.4 2003/05/12 13:59:23 yar Exp $ # # Spaces ARE valid field separators in this file. However, # other *nix-like systems still insist on using tabs as field # separators. If you are sharing this file between systems, you # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manpage. *.err;kern.debug;auth.notice;mail.crit /dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.debug;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs cron.* /var/log/cron *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log #console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log # touch /var/log/all.log and chmod it to mode 600 before it will work #*.* /var/log/all.log # uncomment this to enable logging to a remote loghost named loghost #*.* @loghost # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice !startslip *.* /var/log/slip.log !ppp *.* /var/log/ppp.log anything wrong with this conf?