bugzilla-daemon at mindrot.org
2014-Jun-12 21:33 UTC
[Bug 2245] New: Multiple USER_LOGIN messages when linux audit support is enabled on bad login
https://bugzilla.mindrot.org/show_bug.cgi?id=2245
Bug ID: 2245
Summary: Multiple USER_LOGIN messages when linux audit support
is enabled on bad login
Product: Portable OpenSSH
Version: 6.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: l.bigonville at edpnet.be
Hi,
Whit the current code in 6.6p1, the linux auditing code is generating
multiples USER_LOGIN when either an unknown user or a wrong password of
an existing user is used.
With an unknown user, I get the following:
type=USER_LOGIN msg=audit(1402608427.317:143): pid=6544 uid=0 auid=1000
ses=3 msg='op=login acct=28756E6B6E6F776E207573657229
exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd
res=failed'
type=USER_LOGIN msg=audit(1402608427.317:144): pid=6544 uid=0 auid=1000
ses=3 msg='op=login acct=28696E76616C6964207573657229
exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd
res=failed'
type=USER_LOGIN msg=audit(1402608429.761:146): pid=6544 uid=0 auid=1000
ses=3 msg='op=login acct=28696E76616C6964207573657229
exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd
res=failed'
With an existing user and a wrong password, I get:
type=USER_LOGIN msg=audit(1402608698.581:159): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd"
hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:160): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd"
hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:161): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd"
hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608701.089:163): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd"
hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
This is confusing tools like aulast (--bad) as it's displaying several
login attempts instead of just one
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Jun-12 21:40 UTC
[Bug 2245] Multiple USER_LOGIN messages when linux audit support is enabled on bad login
https://bugzilla.mindrot.org/show_bug.cgi?id=2245 --- Comment #1 from Laurent Bigonville <l.bigonville at edpnet.be> --- BTW, I'm not seeing this with the patched version in Fedora -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Jun-12 22:34 UTC
[Bug 2245] Multiple USER_LOGIN messages when linux audit support is enabled on bad login
https://bugzilla.mindrot.org/show_bug.cgi?id=2245 --- Comment #2 from Laurent Bigonville <l.bigonville at edpnet.be> --- Correction on Fedora, with an unknown user, I'm getting 2 messages when using an unknown user (not sure this is actually expected) The 1st one immediately on connection type=USER_LOGIN msg=audit(1402612040.555:407): pid=1980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=ssh res=failed' The 2nd when the connection is closed (ctrl-c on the client side) type=USER_LOGIN msg=audit(1402612042.009:412): pid=1980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=ssh res=failed' But I can confirm that with an existing user and a wrong password, I'm only seeing one message at the end of the connection (either reached the number of max retry or by closing the connection) -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-04 14:01 UTC
[Bug 2245] Multiple USER_LOGIN messages when linux audit support is enabled on bad login
https://bugzilla.mindrot.org/show_bug.cgi?id=2245
Petr Lautrbach <plautrba at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |plautrba at redhat.com
--- Comment #3 from Petr Lautrbach <plautrba at redhat.com> ---
Created attachment 2501
--> https://bugzilla.mindrot.org/attachment.cgi?id=2501&action=edit
remove unnecessary audit events
The AUDIT_USER_LOGIN event should be sent only 1 time and it is the
summary decision of all the authentication/account attempts.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Nov-04 14:19 UTC
[Bug 2245] Multiple USER_LOGIN messages when linux audit support is enabled on bad login
https://bugzilla.mindrot.org/show_bug.cgi?id=2245 --- Comment #4 from Petr Lautrbach <plautrba at redhat.com> --- Created attachment 2502 --> https://bugzilla.mindrot.org/attachment.cgi?id=2502&action=edit don't use (invalid user) I also find using '(invalid user)' confusing. It's used in two cases - an user is unknown - getpwnamallow(user) returns NULL - or service is not set to 'ssh-connetion'. The first case is quite common and I think an account in event should be marked '(unknown user)' instead of invalid which could be confusing for an auditor. For the second case, it might be worth to split Authctxt.valid to Authctxt.valid_user and Authctxt.valid_service to better distinguish ehse two case. -- You are receiving this mail because: You are watching the assignee of the bug.