In working through implementing lastlog a few questions have come up. 1) Should lastlog be touched by cron? 2) Should lastlog be touched by sudo? 3) How does one reset lastlog for a user after the time has passed?
== 1) Should lastlog be touched by cron? == I discovered that cron interacted with lastlog because I disabled the unconfined module and cron stopped working. This is because crond_t is specified as an unconfined domain in the unconfined policy which allows it to interact with any SELinux domain. This made me think about whether cron should even be interacting with lastlog. It would be possible for a user to create a cronjob that just runs once a day and prevents them from being marked inactive, despite any actual logins. It’s for this reason that I think the following lines should be added immediately before the pam_lastlog.so line in /etc/pam.d/system-auth and /etc/pam.d/password-auth auth [success=1 default=ignore] pam_succeed_if.so service in crond quiet account [success=1 default=ignore] pam_succeed_if.so service in crond quiet session [success=1 default=ignore] pam_succeed_if.so service in crond quiet These lines prevent pam_lastlog.so from being called for crond. == 2) Should lastlog be touched by sudo? == I think that lastlog should not be triggered by sudo either. This is because lastlog is designed for displaying and monitoring last logins of a user. An invocation of sudo is not a login and therefore should not trigger lastlog. == 3) How does one reset lastlog for a user after the time has passed? == This is just for my education. Once the inactive time has passed for a user, how as a system administrator am I supposed to reset it? Thoughts? Thanks, -josh PS: In another thread on this ML, it was brought up that hand-editing the pam_d files will be unsupported. That said, authconfig-tui in Fedora does not have an option for setting up lastlog and therefore requires hand-editing of files to implement. I’m not sure if this applies to RHEL6 too, but I thought I’d point it out.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
