Skip to content
Last update: 2022-05-11

PAM support

Overview

Pluggable Authentication Modules (PAM) provide authentication functionality in Linux distributions. PAM allows you to change the user authentication scheme without having to recompile your programs, by simply editing a configuration file.

This example provides an insight on how Sophos Linux Sensor (SLS) provides PAM support and the impact of using PAM for logins without configuring PAM credential enrichment in the sensor. In addition are the steps on how to get it running on your environment as shown below:

Recommendations

  • Please note that this only works when running the sensor outside of a container.
  • When running the steps below please don't close the two instances running the ldap process and sensor.
  • Ensure that Docker is installed in the Ubuntu 18 that you will be using.
  • The steps were performed using Vagrant. You can use your own preferred vm.

Validation steps

  1. Start an OpenLDAP container on a clean Ubuntu 18.04.

    Here's an example:

    docker run -p 389:389 -p 636:636 --env LDAP_READONLY_USER=true --env LDAP_READONLY_USER_USERNAME=fooo --env LDAP_READONLY_USER_PASSWORD=password osixia/openldap:1.3.0 --loglevel debug

  2. In a different terminal, vagrant ssh into the Ubuntu 18.04 machine and verify that LDAP has a user.

    Here's an example:

    docker exec -it `docker ps -q` ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

  3. Install LDAP utilities on the host. Run the following commands:

    sudo apt-get update
sudo apt-get install ldap-utils

  4. Perform sudo bash.

  5. Verify local tools can access LDAP. Run the following command:

    ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

  6. Install LDAP PAM module.

    Here's an example:

    sudo apt-get install libpam-ldap nslcd-utils
ldap:///127.0.0.1
dc=example,dc=org
3
<No>
<No>
ldap://127.0.0.1/
dc=example,dc=org

  7. Paste the following config into /etc/ldap.conf to configure the host. Comment out the existing settings.

    base dc=example,dc=org
host 127.0.0.1
binddn cn=admin,dc=example,dc=org
bindpw admin
ldap_version 3
pam_password md5

  8. Setup LDAP support in /etc/nsswitch.conf by adding "ldap" to the end of each line.

    Here's an example:

    passwd:         compat systemd ldap
group:          compat systemd ldap
shadow:         compat ldap

  9. As a normal user, no longer as sudo bash, create a local file fooo.ldif indicating fooo should be able to login as a POSIX user:

    Here's an example:

    dn: cn=fooo,dc=example,dc=org
changetype: modify
add: objectClass
objectClass: posixAccount
- 
add: homeDirectory
homeDirectory: /home/fooo
-
add: uid
uid: fooo
-
add: uidNumber
uidNumber: 5250
-
add: gidNumber
gidNumber: 0

  10. Using sudo bash, import fooo.ldif to modify the account in LDAP.

    Here's an example:

    docker exec -i `docker ps -q` ldapmodify -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin < fooo.ldif

  11. Remove the following line from /etc/pam.d/login if present.

    auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

  12. Restart nscd.

    sudo systemctl restart nscd

  13. Create runtimedetections-rules.yaml file in /etc/sophos (may be necessary to create /etc/sophos directory also).  Then setup a wget blocking program policy in runtimedetections-rules.yaml.

    Here's an example:

    WGET Policy:

    policy: program
    enabled: true
    alertMessage: Wgotten
    priority: Low
    rules:
    - match programName == "wget"
    - default ignore
    comments: Audit of when wget is run
    additionalCategories:
    - MITRE.Execution.Command-Line Interface
    - MITRE.Execution.User Execution

  14. Start sensor with PAM support configured.

    sudo RUNTIMEDETECTIONS_PAM_CREDENTIAL_ENRICHMENT=true sophoslinuxsensor

Warning

If you don't already have SLS installed or configured as shown above, please follow this guide to install the RUNTIMEDETECTIONS sensor. After installing the sensor, don't install the content or enable the sensor. Instead, run the following command:

sudo RUNTIMEDETECTIONS_PAM_CREDENTIAL_ENRICHMENT=true sophoslinuxsensor

  1. In a different terminal, vagrant ssh into the Ubuntu 18.04 machine and start a new login session as the new ryan LDAP user:

    sudo login
fooo
password

  2. Run wget.

  3. The sensor generates an alert with fooo as the username and root as the group in the other terminal running the sensor.

  4. Note that fooo is not in /etc/passwd.

    cat /etc/passwd | grep fooo
Back to top