/var/log/secure reporting false positives

Question

I have my CentOS 6 system configured to use sssd with ldap provider. I am able to login and use sudo, however /var/log/secure always reports authentication failure:

Sep 18 07:09:52 serverA sudo: pam_unix(sudo:auth): authentication failure; logname=exampleuser uid=10000 euid=0 tty=/dev/pts/1 ruser=exampleuser rhost=  user=exampleuser
Sep 18 07:09:52 serverA sudo: pam_sss(sudo:auth): authentication success; logname=exampleuser uid=10000 euid=0 tty=/dev/pts/1 ruser=exampleuser rhost=  user=exampleuser

This is causing false positives in my SIEM. I think the issue is with pam. I configured it using authconfig. Is there a way to configure pam to not check /etc/passwd for ldap users (say users above X uid) or another solution to this problem?

score 3 · Answer 1 · edited Sep 18 '15 at 13:25

3

Try to put this row at the beginning of your /etc/pam.d/sshd file.

auth       sufficient   pam_sss.so

edited Sep 18 '15 at 13:25

Izzy

795
2
8
31

answered Sep 18 '15 at 12:17

Gabriele Guaglianone

31
1

On RHEL/CentOS 6, includes are used in /etc/pam.d/sshd to pull in settings /etc/pam.d/system-auth-ac, so the change should not be made there. Furthermore, this file handles sshd, but if you look at my log its sudo where the problem lies. – Python Novice Sep 19 '15 at 01:25

score 1 · Accepted Answer · answered Sep 19 '15 at 01:45

Gabriele and mkzero were on the right track.

Did some research and was able to find a solution. /etc/pam.d/sudo (shown above) and /etc/pam.d/sshd are the two sources which will generate double log messages like this. By default, pam tries to authenticate first using pam_unix.so, and if it fails it tries pam_sss.so. They both use includes to pull in settings from two other pam files. To get rid of this error, the order has to be changed in two files:

/etc/pam.d/password-auth-ac
/etc/pam.d/system-auth-ac

Replaced auth section with:

auth        required      pam_env.so
auth        sufficient    pam_sss.so
auth        requisite     pam_succeed_if.so uid < 20000 quiet
auth        sufficient    pam_unix.so nullok try_first_pass
auth        required      pam_deny.so`

pam_succeed_if.so is set to not use pam_unix for users with uids above 20000 which my ldap users are. If you leave this out, you will still see two authentication log messages from both pam_sss and pam_unix.

If you join the computer to a domain using FreeIPA's script, or realmd, then this is done for you. You generally only see this if you set it up manually. — Michael Hampton, Sep 19 '15 at 03:00

/var/log/secure reporting false positives

2 Answers2