Bug 1047509

Summary: [AAA] No events created for unauthorised log in attempts.
Product: Red Hat Enterprise Virtualization Manager Reporter: Julio Entrena Perez <jentrena>
Component: ovirt-engineAssignee: Yair Zaslavsky <yzaslavs>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.2.0CC: aberezin, acathrow, alonbl, bazulay, emesika, flo_bugzilla, iheim, jentrena, lpeer, oourfali, pstehlik, Rhev-m-bugs, yeylon, yzaslavs
Target Milestone: ---Keywords: Triaged
Target Release: 3.5.0   
Hardware: All   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-11 14:38:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1076964    

Description Julio Entrena Perez 2013-12-31 12:46:17 UTC 
Description of problem:
If an authorised user's password has expired a "User <user>@<DOMAIN> cannot login, as it got disabled or locked. Please contact the system administrator." event is generated.
But if an unauthorised user attempts to login to webadmin portal no event is generated.

Version-Release number of selected component (if applicable):
rhevm-backend-3.2.5-0.49.el6ev

How reproducible:
Always.

Steps to Reproduce:
1. Attach RHEV-M to a domain (e.g. IPA).
2. Try to log in to webadmin portal as a user that has not been granted access to webadmin portal.

Actual results:
Unauthorised login attempts are logged to /var/log/ovirt-engine/engine.log :

2013-12-31 12:00:50,883 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

But unauthorised login attempts are not logged to Events section of webadmin portal.

Expected results:
Unauthorised login attempts are logged to Events section of webadmin portal.

Additional info:
This is required for PCI DSS compliant environments to meet requirements such as 10.2.4 and 11.4 ( https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf ).
Comment 1 Itamar Heim 2014-01-02 09:12:50 UTC 
need to think how this will look like post the authentication refactoring, where some of these authentication checks will be done by apache as a frontend, etc.
Comment 2 Barak 2014-01-02 10:40:53 UTC 
Arthur,

Please define what is an unauthorized login attempt is:
- no such user
- existing user wrong password (failed authentication)?
Comment 3 Julio Entrena Perez 2014-01-02 14:09:18 UTC 
(In reply to Barak from comment #2)
> Arthur,
> 
> Please define what is an unauthorized login attempt is:
> - no such user
> - existing user wrong password (failed authentication)?

Both: any unsuccessful login attempt needs to be logged including the reason for the failure.
Comment 4 Arthur Berezin 2014-01-02 14:22:44 UTC 
(In reply to Julio Entrena Perez from comment #3)
> (In reply to Barak from comment #2)
> > Arthur,
> > 
> > Please define what is an unauthorized login attempt is:
> > - no such user
> > - existing user wrong password (failed authentication)?
> 
> Both: any unsuccessful login attempt needs to be logged including the reason
> for the failure.

+1

Both are part of PCI DSS, and should be presented in the events section.
For wrong password event the requirement is to present failure of multiple log-in attempts, so if we would like to avoid flooding the events tab we could look for multiple login failures in a given time.
Comment 5 Yair Zaslavsky 2014-02-16 07:23:37 UTC 
I suggest to handle this for 3.4, it is possible to add relevant audit log type and map them to the authentication results , same as for account is locked/disabled and password expired are mapped.
regarding AAA refactoring - i suggest we revisit the events issue at this point (and the effort is for 3.5 anyway, I don't think we should postpone this bug until then).
Comment 9 Barak 2014-05-27 11:29:53 UTC 
Eli don't we have a "user X failed to login" in eventlog of 3.4 ?
Comment 10 Barak 2014-05-27 11:32:41 UTC 
It looks like it was fixed for 3.4 (Bug 1066103),
Leaving it open for now due to the refactor done on the accounting as a part of the AAA effort.

Yair can we CLOSE DUPLICATE (if you had already handled it for 3.5) ?
Comment 11 Alon Bar-Lev 2014-06-11 14:38:37 UTC 

*** This bug has been marked as a duplicate of bug 1066103 ***