How to log (syslog) password change attempts

Hi,

usermin happily logs login attempts (success and failure) and logout actions to syslog. I’d like it to also log password change attempts (or indeed any operations, but I’m only configuring password changes). Is there some way to configure that? If not, is there a good place to add it?

I was thinking I could add a syslog to the error() function for failures, but it wouldn’t necessarily be a consise log message.

Suggestions?

I don’t see immediately any configuration for this. I’ll ask Jamie to chime in on the “good place to add it” question, as he’d know better than anyone.

Unfortunately, there is no way to have Usermin log more actions to syslog yet. Webmin, yes … but Usermin typically runs only with the permissions of the logged-in user, who doesn’t have the rights to log to syslog.

JamieCameron wrote:

Unfortunately, there is no way to have Usermin log more actions to syslog yet. Webmin, yes .. but Usermin typically runs only with the permissions of the logged-in user, who doesn't have the rights to log to syslog.
Umm, I'm afraid I have to disagree. ANYONE can log to syslog. C.f. logger(1) as an example. Sending a message to syslog requires no special privileges at all. The syslog(2) system call also requires no special privileges.

My mistake, you are correct … I guess I just assumed that this would be disabled for security reasons, and because most users wouldn’t have access to the syslog socket file.

Unfortunately, even with this Usermin doesn’t yet have code to log events like password changes, unlike Webmin. I may look into adding this in future though…

JamieCameron wrote:

Unfortunately, even with this Usermin doesn't yet have code to log events like password changes, unlike Webmin. I may look into adding this in future though..

I’m happy to do a little PERL hacking myself to get this in there, but I was hoping to have a little guidance as to where to look. It looks like I could do most of it by adding a call to syslog in changepass.cgi for the successes, and adding a call to the error() function for failures. Is there a better way to add it in, in your expert opinion?

There is a standard logging function in the web-lib.pl called webmin_debug_log, which logs to whatever target is configured for logging…but I suspect this has permissions issues in the default configuration (logging to the Usermin log), which I think is why Jamie sort of dismissed this without good answers on how to implement.

webmin_debug_log seems to be used in a few Usermin modules, but I kinda suspect they aren’t actually ever hitting the logging functions (I’m betting the modules they appear in were copied from Webmin).

It might be worth digging in to see where Usermin makes the decision about that function being used so that you could add a switch to make it actually do something when syslog is the target for logging. Then from there, you could add the standard webmin_debug_log calls wrapped around the particular functions you’re interested in.

That’d be the “right” way to implement this, and it’d probably be something that could reasonably be expected to be merged into mainline Usermin. (I think. I can’t speak for Jamie on this one…but I have a feeling this would be reasonable. Hopefully, Jamie will chime in a bit more on it.)

The right function to call to have Usermin participate in logging is webmin_log. For example, at the end of changepass/changepass.cgi you could put code like :

webmin_log("passwd");

However, for this to work, the line log=1 would need to be in /etc/usermin/config , and also logsyslog=1

I haven’t tested this though, so I’m not 100% sure it will work in Usermin :slight_smile:

Cool, webmin_log() looks great.

Unfortunately I think I’m going to have to hook &error() as well, or perhaps change the way changepass.cgi uses &error(), so I can log failures as well as successes. But I think that would be pretty easy; I can just crete a local function that calls webmin_log and then calls error().

I’ll go play now and see what I can do. If I get something working I’ll send back a patch.

For reference, it would be nice if the files had proper indenting – the lack of indentation makes following functions and code blocks much harder.

Still, thanks for a great piece of software and the excellent (and timely) tech support!

Oops. Right. webmin_debug_log is for…really verbose debug logs.

One option would be to have the changepass.cgi call webmin_log before calling error, with a different first parameter to indicate a failed password change…