{"id":13508286,"url":"https://github.com/jomisica/log-credentials","last_synced_at":"2025-03-30T11:31:39.551Z","repository":{"id":99287865,"uuid":"92085287","full_name":"jomisica/log-credentials","owner":"jomisica","description":"PAM Log Credentials","archived":false,"fork":false,"pushed_at":"2019-12-14T20:51:21.000Z","size":58,"stargazers_count":7,"open_issues_count":2,"forks_count":4,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-11-01T08:32:56.793Z","etag":null,"topics":["log-credentials","pam","pam-module","security"],"latest_commit_sha":null,"homepage":"https://www.ncdc.pt/groups/log-credentials/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jomisica.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-22T18:18:43.000Z","updated_at":"2023-04-26T09:13:00.000Z","dependencies_parsed_at":"2023-07-17T23:30:52.226Z","dependency_job_id":null,"html_url":"https://github.com/jomisica/log-credentials","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jomisica%2Flog-credentials","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jomisica%2Flog-credentials/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jomisica%2Flog-credentials/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jomisica%2Flog-credentials/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jomisica","download_url":"https://codeload.github.com/jomisica/log-credentials/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246314011,"owners_count":20757450,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["log-credentials","pam","pam-module","security"],"created_at":"2024-08-01T02:00:50.863Z","updated_at":"2025-03-30T11:31:39.539Z","avatar_url":"https://github.com/jomisica.png","language":"C","funding_links":[],"categories":["C","security"],"sub_categories":[],"readme":"# log-credentials\nPAM log-credentials has been written by José Miguel Silva Caldeira \u003cmiguel@ncdc.pt\u003e.\n\n## Description:\nPAM log-credentials allows you to log credentials.\n\nIt will log messages like this:\n* May 22 18:50:15 local host log credentials: host = xxx.xxx.xxx.xxx service = sshd user = root root = xxxxxxx ** in system syslog;\n* 1573749689 host = 192.168.1.223 service = sshd user = aaaaaaaaaaaaaaaa pass = aaaaaaaaaaaaaaa in the file if configured.\n\nThe idea of this module is to facilitate obtaining information that allows you to analyze brute force attacks on ssh and other services.\n\nThrough these data, with scripts and in a simple way it is possible to perceive:\n* From where the attacks are initiated, the countries, the networks, etc. Through IP;\n* You can see which users are most used in login attempts;\n* The type of passwords that are used in attack attempts;\n* Among others.\n\nIn this way it is possible for the administrator to be aware and to take measures so that good practices are taken to avoid these attacks.\n\nUse at your own risk!\n\nDo not use on a production system where multiple users have access to the logs. If you do, everyone has access to all credentials.\n\nIf you still want to do so, configure the log file access permissions.\n\n## Tested Services / Commands\nThe module has been tested with the services / commands:\n* sshd service;\n* sudo command;\n* su command.\n\n\n## Ethic\nSince this module logs all the credentials it is clear that it also logs the correct ones.\n\nThis module can be used as \"KeyLogger\" if it is badly installed on some system.\n\nMy intention is to use it for study purposes but stay of the conscience of each one uses it for a certain purpose.\n\nBe cool!\n\n## Installation\n\n### Clone the project\nYou can clone the repository wherever you want. (I like to keep it in `~/Projects/log-credentials`.)\n\n```Bash\n$ cd ~/Projects\n$ git clone https://github.com/jomisica/log-credentials.git\n```\n\n### Dependent software\nIn order to compile this software it is necessary to first install the dependencies. This will depend on the system in question below is the example for CentOS and Ubuntu.\n\n#### CentOS 7/8\nIn CentOS it is necessary to install the \"Development Tools\" group that installs the necessary software to compile this software.\n\nIt is also necessary to install the package \"pam-devel\" that has the necessary headers so that it is possible to develop modules for the PAM in the system that we use.\n\n```Bash\n# yum group install \"Development Tools\"\n# yum install pam-devel\n```\n\n#### Ubuntu 16.04\nIn Ubuntu it is necessary to install the software dependent to compile this software.\n\nIt is also necessary to install the package \"libpam0g-dev\" that has the necessary headers so that it is possible to develop modules for the PAM in the system that we use.\n\n```bash\n# apt-get build-dep pam\n# apt-get install libpam0g-dev\n```\n\n### Build\n```Bash\n$ cd log-credentials\n$ libtoolize --force\n$ aclocal\n$ autoheader\n$ automake --force-missing --add-missing\n$ autoconf\n```\n\nThe directory where the PAM and NSS modules are installed are different on several systems, as such, the correct location may be required when configuring.\n\n```bash\n$ ./configure\n...\n...\n...\n...\nconfigure: Summary of build options:\n  Version:              1.0.1\n  Host type:            x86_64-unknown-linux-gnu\n  Compiler:             gcc\n  CFLAGS:               -g -O2\n  Library types:        Shared=yes, Static=no\n  PAM Module Directory: /lib64/security\n  NSS Module Directory: /lib64\n```\n\n*configure* tries to find the correct location on the system where the modules are installed.\nIt is possible to see the result in the summary, if the result is not correct for the system in question we have to pass the correct place to configure.\n\n#### Example\n```bash\n $ ./configure --with-pam-dir=/lib64/security --with-nss-dir=/lib64\n```\n\n```bash\n$ make\n# make install\n```\n\n## Configure PAM module\nIn order for the module to work we need to add the following line to the /etc/pam.d/sshd configuration file before any other module or file inclosion.\n\n```\nauth       optional     log_credentials.so\n```\n\nThe directory \"pam-examples\" contains configuration files for the tested services.\n\n## PAM Module Options\n\nThe module has the following options:\n* **onlytrueusers** - Allows only the correct logins to be logged;\n* **file** - Allows you to specify the location of the file eg: \"file=/var/log/log-credentials.log\".\n\nThese options are used if they exist in the configuration file:\n\n```\nauth       optional     log_credentials.so onlytrueusers file=/var/log/log-credentials.log\n```\n\n#### Ubuntu PAM configuration\nIn ubuntu it is necessary to add the parameter \"use_first_pass\" in module \"pam_unix.so\" in the file \"/etc/pam.d/common-auth\". So you won't be asked for the password twice.\n\nThe line looks like this:\n\n```\nauth\t[success=1 default=ignore]\tpam_unix.so nullok_secure use_first_pass\n```\n\n## Configure NSS module\nLinux systems can use various types of databases to store users' credentials. Among them files, by default the users and passwords are stored in the passwd, shadow etc, files. Ldap a service that is important when we always have access with the same credentials on several machines in a network. Among others.\n\nHowever when a user is not found on any of the configured systems files, ldap, etc it is not possible to know for sure who is trying to log in. In this way the user is passed to the PAM but with the password changed.\n\nThis way it would not be possible to have the username / password pair. As such it is necessary to configure the NSS module so that it is possible to work around this problem and have access to the user / password pair entered by the user.\n\nThe module has to be configured as the last module so that it is possible to log into the system with normal users. Only if it is not found in any other module then it is used this small module that will conturn this problem passing the missing data to as id, gid etc.\n\nFor the module to work, we need to modify the following line in the /etc/nsswitch.conf configuration file.\n\n```\npasswd:     files sss log_credentials\n```\n\nAs we can see the module log_credentials is in last\n\n## Configure SELinux CentOS 8\n\nIn CentOS 8 SELinux uses the default \"Enforcing\" execution mode.\nIn order to use the module's \"file\" parameter to store the log file in a given directory we have to create a module for SELinux.\nI will give an example of a module that allows you to create the log file in /var/log/[file name].log.\nFor other locations you will need to make the appropriate modifications, read more here: https://wiki.centos.org/HowTos/SELinux\nThe module is located within the project selinux directory and its following content:\n\n```\nmodule log-credentials-sshd 1.0;\n\nrequire {\n\ttype sshd_t;\n\ttype var_log_t;\n\tclass file { create open read append getattr };\n\tclass netlink_selinux_socket { bind create };\n}\n\n#============= sshd_t ==============\nallow sshd_t self:netlink_selinux_socket { bind create };\n\nallow sshd_t var_log_t:file { create open read append getattr };\n```\n\nRun the following commands to generate the module and install it:\n\n```Bash\n$ cd ~/Projects/log-credentials/selinux\n# checkmodule -M -m -o log-credentials-sshd.mod log-credentials-sshd.te\n# semodule_package -o log-credentials-sshd.pp -m log-credentials-sshd.mod\n# semodule -i log-credentials-sshd.pp\n```\n\nAfter executing the commands it is already possible to use the option \"file=/var/log/log-credentials.log\" for example.\n\n\n**It's done!**\n\n\n\n## Problem/BUGS report:\nIf you find any bugs or problems just mail me José Miguel Silva Caldeira \u003cmiguel@ncdc.pt\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjomisica%2Flog-credentials","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjomisica%2Flog-credentials","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjomisica%2Flog-credentials/lists"}