2245 – Multiple USER_LOGIN messages when linux audit support is enabled on bad login

Bug 2245 - Multiple USER_LOGIN messages when linux audit support is enabled on bad login

Summary: Multiple USER_LOGIN messages when linux audit support is enabled on bad login

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	6.6p1
Hardware:	Other Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-06-13 07:33 AEST by Laurent Bigonville
Modified:	2014-11-05 01:19 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
remove unnecessary audit events (950 bytes, patch) 2014-11-05 01:01 AEDT, Petr Lautrbach	no flags	Details \| Diff
don't use (invalid user) (628 bytes, patch) 2014-11-05 01:19 AEDT, Petr Lautrbach	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Laurent Bigonville 2014-06-13 07:33:16 AEST

Hi,

Whit the current code in 6.6p1, the linux auditing code is generating multiples USER_LOGIN when either an unknown user or a wrong password of an existing user is used.

With an unknown user, I get the following:

type=USER_LOGIN msg=audit(1402608427.317:143): pid=6544 uid=0 auid=1000 ses=3 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608427.317:144): pid=6544 uid=0 auid=1000 ses=3 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608429.761:146): pid=6544 uid=0 auid=1000 ses=3 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'

With an existing user and a wrong password, I get:

type=USER_LOGIN msg=audit(1402608698.581:159): pid=6567 uid=0 auid=1000 ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:160): pid=6567 uid=0 auid=1000 ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:161): pid=6567 uid=0 auid=1000 ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608701.089:163): pid=6567 uid=0 auid=1000 ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'


This is confusing tools like aulast (--bad) as it's displaying several login attempts instead of just one

Comment 1 Laurent Bigonville 2014-06-13 07:40:01 AEST

BTW, I'm not seeing this with the patched version in Fedora

Comment 2 Laurent Bigonville 2014-06-13 08:34:56 AEST

Correction on Fedora, with an unknown user, I'm getting 2 messages when using an unknown user (not sure this is actually expected)


The 1st one immediately on connection

type=USER_LOGIN msg=audit(1402612040.555:407): pid=1980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=ssh res=failed'

The 2nd when the connection is closed (ctrl-c on the client side)

type=USER_LOGIN msg=audit(1402612042.009:412): pid=1980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=ssh res=failed'


But I can confirm that with an existing user and a wrong password, I'm only seeing one message at the end of the connection (either reached the number of max retry or by closing the connection)

Comment 3 Petr Lautrbach 2014-11-05 01:01:41 AEDT

Created attachment 2501 [details]
remove unnecessary audit events

The AUDIT_USER_LOGIN event should be sent only 1 time and it is the summary decision of all the authentication/account attempts.

Comment 4 Petr Lautrbach 2014-11-05 01:19:21 AEDT

Created attachment 2502 [details]
don't use (invalid user)

I also find using '(invalid user)' confusing. It's used in two cases - an user is unknown - getpwnamallow(user) returns NULL - or service is not set to 'ssh-connetion'.

The first case is quite common and I think an account in event should be marked '(unknown user)' instead of invalid which could be confusing for an auditor.

For the second case, it might be worth to split Authctxt.valid to Authctxt.valid_user and  Authctxt.valid_service to better distinguish ehse two case.