Logging

5. Authentication Logging

In Linux, keeping track of who accesses a system and how they do it is crucial for security and troubleshooting. This process is managed through authentication logging, which records all authorization-related events, such as user logins and the methods used.

The auth.log File

On Debian-based systems like Ubuntu, the primary file for tracking this activity is /var/log/auth.log. This log file contains system authorization information, including successful and failed user login attempts, and any authentication mechanisms that were triggered. Reviewing this file is a key step in diagnosing login problems or investigating security incidents.

Here is a sample snippet from an auth.log file:

Jan 31 10:37:50 icebox pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000)

Understanding Log Entries

Each line in the log provides valuable details. In the example above:

  • Jan 31 10:37:50: The timestamp of the event.
  • icebox: The hostname of the machine where the event occurred.
  • pkexec: The program that initiated the event.
  • pam_unix(polkit-1:session): The authentication module and service used.
  • session opened for user root by (uid=1000): The action taken—a session was opened for the root user by a user with UID 1000.

Alternative Log Files

It's important to note that the location for authentication logs can vary between Linux distributions. For example, on Red Hat-based systems like CentOS and Fedora, these events are typically recorded in /var/log/secure instead of /var/log/auth.log.

Sign in to save your learning progress

Sign in

Exercises

Practice makes perfect! Here are some hands-on labs to reinforce your understanding of user authentication and account management:

  1. Configure User Accounts and Sudo Privileges in Linux - Practice enforcing password policies, locking/unlocking user accounts, securing the root account, and granting administrative permissions, all of which are critical for understanding authentication security.

These labs will help you apply the concepts in real scenarios and build confidence with Linux user and security management.

Login to Practice on LabEx

Quiz

On Debian-based systems, what is the name of the log file used for user authentication? Please answer using the filename only. The answer is case-sensitive.