EditAttachPrintable
r12 - 29 Jun 2008 - 00:11:46 - IntRigeriYou are here: wiki.boum.org >  TechStdOut Web  > LoginRecords

Login records

Table of content :

Why ?

On a GNU/Linux system, login records are saved at various places. One may want to prevent these to be kept for too long, or to be kept at all.

How ?

The tips given bellow have been tested on Debian GNU/Linux etch and lenny (testing - 20080223).

Generic solutions

ramdisk

One way to prevent sensitive data to reach the hard disk is to configure the system to mount a ramdisk over the directory in which it is supposed to be written. See RamDisks (FR) and RamDisksEn (EN) for details.

FIXME : would symlinking the login records files to a ramdisk work ?

login

The login Debian package enables lastlog and faillog update, in its default configuration (details bellow, in the sections dedicated to these files). The source package is shadow.

NB :

  • This package neither uses debconf nor ucf.
  • login is an Essential package

FIXME :

  • how simple is it to provide a choice between the current default (logging) settings and an alternative (non-logging) settings ?

base-files

The base-files Debian package creates most login records files on postinst (i.e. on install and on upgrade), thus preventing some simple anti-logging solutions.

base-files is an Essential package, and it currently does not use debconf, so it seems hard to get it modified to render optionnal the annoying postinst.

On the other hand, base-files does not own the login records files, but merely creates them on postinst ; then another package could transform them into symlinks (to a ramdisk or any kind of trusted location) without breaking the Debian policy. FIXME : check this.

The Debian bug #488376 asks base-files to provide a way to disable login record files creation on postinst.

Particular files

/var/log/wtmp

The wtmp file records all logins and logouts. The command last prints its content in a human-readable format.

According to man wtmp, record-keeping is turned on if, and only if, this file is present : no program using it should ever create it if it does not exist.

So, you may want to delete this file and existing backups (/var/log/wtmp*).

But the base-files Debian package creates this file on postinst (and thus on upgrade).

/var/log/btmp

This one is quite similar to wtmp, but instead records every failed login. The command lastb prints its content in a human-readable format.

According to man lastb, such record-keeping is turned on if, and only if, this file is present : no program using it should ever create it if it does not exist.

So, you may want to delete this file and existing backups (/var/log/btmp*).

But the base-files Debian package creates this file on postinst (and thus on upgrade).

/var/run/utmp

The utmp file allows one to discover information about who is currently using the system. It is used, for example, by the who command. It also tells the source IP of the incoming ssh logins.

It must always exist on Linux, and can be chmod'ed 0660 to disable who for non-root users... but the data is still written somewhere.

NB : the base-files Debian package creates this file and chmod's it 644 on postinst (and thus on upgrade).

/var/log/lastlog

Stores time and date of last login, and also the source IP for remote logins. Queried by the lastlog command.

  • the base-files Debian package creates it on postinst (and thus on upgrade), as root:utmp / 664
  • the default /etc/pam.d/login (in package login) loads session optional pam_lastlog.so, which :
    • as advertised, "prints the last login info upon successful login"
    • as not advertised, updates the lastlog file, and even creates it if it does not exist
  • sshd updates this file if it exists

pam_lastlog disabled, /var/log/lastlog deleted (testing on o. and g. from 20080626) :

  • none of sshd, login (tty), or su create the lastlog file
  • if this works, a few possible solutions :
    • a cronjob could wipe the lastlog file on a regular basis, in order to remove it when a base-files upgrade has re-created it
    • would symlinking this file to a ramdisk work ?
    • make usage of pam_lastlog by login configurable

/var/log/faillog

Facts :

  • No IP seem to be recorded in /var/log/faillog, "only" time, date, and TTY.
  • The login Debian package creates this file on postinst (and thus on upgrade).
  • In /etc/login.defs (in package login), FAILLOG_ENAB defaults to yes.
  • If /var/log/faillog is missing, it is not created by login. Else, iff FAILLOG_ENAB is enabled, login updates it.
  • Neither sshd nor su seem to update /var/log/faillog ; FIXME : do other packages update/create this file ?

The Debian bug #488420 asks login maintainers to help providing a way for a CDD to disable faillog.

auth.log and authpriv.log

FIXME (including the sudo case)

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r12 < r11 < r10 < r9 < r8 | More topic actions
 
Powered by wiki.boum.org
Des idées, requêtes ou problèmes en rapport avec ce wiki ? écris nous !