0

I am trying to understand if there is any logging happening for this command in any log file:

$ su - user1
su: user user1 does not exist

I checked /var/log/messages, /var/log/secure and /var/log/audit/audit.log, but couldn't find any message related to the command above.

Note - user1 is non-existent.

If I am trying with a valid username and giving an invalid password I am able to see the failure messages in the log files above. With an invalid username there is no logging happening in these files. If this is the default behaviour, is there anyway we can enable logging for these messages?

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
sb9
  • 103
  • 5

1 Answers1

0

su logging is based on variables SULOG_FILE (for logging into a certain file) and SYSLOG_SU_ENAB for logging into syslog instead, set in /etc/login.defs, for shadow password suite configuration.

In section Cross References there is a list of all configuration parameters affecting su and non of them is similar to this login configuration parameter enabling logging of unknown usernames.

LOG_UNKFAIL_ENAB (boolean)

Enable display of unknown usernames when login failures are recorded.

Note: logging unknown usernames may be a security issue if an user enter her password instead of her login name.

The note is relevant, though, for understanding why it might not be a good idea to have unknown usernames logged.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129