Skip to content
Last update: 2022-05-11

PAM support

Overview

Pluggable Authentication Modules (PAM) provide authentication functionality in Linux distributions. PAM allows you to change the user authentication scheme without having to recompile your programs, by simply editing a configuration file.

This example provides an insight on how Sophos Linux Sensor (SLS) provides PAM support and the impact of using PAM for logins without configuring PAM credential enrichment in the sensor. In addition are the steps on how to get it running on your environment as shown below:

Recommendations

  • Please note that this only works when running the sensor outside of a container.
  • When running the steps below please don't close the two instances running the ldap process and sensor.
  • Ensure that Docker is installed in the Ubuntu 18 that you will be using.
  • The steps were performed using Vagrant. You can use your own preferred vm.

Validation steps

  1. Start an OpenLDAP container on a clean Ubuntu 18.04.

    Here's an example:

    docker run -p 389:389 -p 636:636 --env LDAP_READONLY_USER=true --env LDAP_READONLY_USER_USERNAME=fooo --env LDAP_READONLY_USER_PASSWORD=password osixia/openldap:1.3.0 --loglevel debug
    
  2. In a different terminal, vagrant ssh into the Ubuntu 18.04 machine and verify that LDAP has a user.

    Here's an example:

    docker exec -it `docker ps -q` ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
    
  3. Install LDAP utilities on the host. Run the following commands:

    sudo apt-get update
    sudo apt-get install ldap-utils
    
  4. Perform sudo bash.

  5. Verify local tools can access LDAP. Run the following command:

    ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
    
  6. Install LDAP PAM module.

    Here's an example:

    sudo apt-get install libpam-ldap nslcd-utils
    ldap:///127.0.0.1
    dc=example,dc=org
    3
    <No>
    <No>
    ldap://127.0.0.1/
    dc=example,dc=org
    
  7. Paste the following config into /etc/ldap.conf to configure the host. Comment out the existing settings.

    base dc=example,dc=org
    host 127.0.0.1
    binddn cn=admin,dc=example,dc=org
    bindpw admin
    ldap_version 3
    pam_password md5
    
  8. Setup LDAP support in /etc/nsswitch.conf by adding "ldap" to the end of each line.

    Here's an example:

    passwd:         compat systemd ldap
    group:          compat systemd ldap
    shadow:         compat ldap
    
  9. As a normal user, no longer as sudo bash, create a local file fooo.ldif indicating fooo should be able to login as a POSIX user:

    Here's an example:

    dn: cn=fooo,dc=example,dc=org
    changetype: modify
    add: objectClass
    objectClass: posixAccount
    - 
    add: homeDirectory
    homeDirectory: /home/fooo
    -
    add: uid
    uid: fooo
    -
    add: uidNumber
    uidNumber: 5250
    -
    add: gidNumber
    gidNumber: 0
    
  10. Using sudo bash, import fooo.ldif to modify the account in LDAP.

    Here's an example:

    docker exec -i `docker ps -q` ldapmodify -x -H ldap://localhost -D "cn=admin,dc=example,dc=org" -w admin < fooo.ldif
    
  11. Remove the following line from /etc/pam.d/login if present.

    auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
    
  12. Restart nscd.

    sudo systemctl restart nscd
    
  13. Create runtimedetections-rules.yaml file in /etc/sophos (may be necessary to create /etc/sophos directory also).  Then setup a wget blocking program policy in runtimedetections-rules.yaml.

    Here's an example:

    WGET Policy:
    
        policy: program
        enabled: true
        alertMessage: Wgotten
        priority: Low
        rules:
        - match programName == "wget"
        - default ignore
        comments: Audit of when wget is run
        additionalCategories:
        - MITRE.Execution.Command-Line Interface
        - MITRE.Execution.User Execution
    
  14. Start sensor with PAM support configured.

    sudo RUNTIMEDETECTIONS_PAM_CREDENTIAL_ENRICHMENT=true sophoslinuxsensor
    

Warning

If you don't already have SLS installed or configured as shown above, please follow this guide to install the RUNTIMEDETECTIONS sensor. After installing the sensor, don't install the content or enable the sensor. Instead, run the following command:

sudo RUNTIMEDETECTIONS_PAM_CREDENTIAL_ENRICHMENT=true sophoslinuxsensor
  1. In a different terminal, vagrant ssh into the Ubuntu 18.04 machine and start a new login session as the new ryan LDAP user:

    sudo login
    fooo
    password
    
  2. Run wget.

  3. The sensor generates an alert with fooo as the username and root as the group in the other terminal running the sensor.

  4. Note that fooo is not in /etc/passwd.

    cat /etc/passwd | grep fooo
    
Back to top