Bug 166379

Summary: ssh does not generate audit messages when ssh session closes
Product: [Fedora] Fedora Reporter: rob <rob.myers>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED UPSTREAM QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-22 08:36:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 216689    

Description rob 2005-08-19 21:51:35 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Red Hat/1.0.6-1.4.1 Firefox/1.0.6

Description of problem:
i expect a USER_END message for each USER_START message in the audit log, but no USER_END is logged for an ssh session.

Version-Release number of selected component (if applicable):
openssh-4.1p1-3.1

How reproducible:
Always

Steps to Reproduce:
[root@localhost ~]# TS=`date '+%D %T'`
[root@localhost ~]# ssh generaluser@localhost id -a
generaluser@localhost's password:
uid=501(generaluser) gid=501(generaluser) groups=501(generaluser) context=user_u:system_r:unconfined_t
[root@localhost ~]# ssh root@localhost id -a
root@localhost's password:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t
[root@localhost ~]# ausearch -i -ts $TS -x sshd
----
type=USER_AUTH msg=audit(08/19/05 17:42:22.868:14185489) : user pid=8559 uid=root auid=unknown(4294967295) msg='PAM authentication: user=generaluser exe="/ usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_ACCT msg=audit(08/19/05 17:42:22.869:14185540) : user pid=8559 uid=root auid=unknown(4294967295) msg='PAM accounting: user=generaluser exe="/usr/ sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_START msg=audit(08/19/05 17:42:22.886:14185759) : user pid=8561 uid=root auid=generaluser msg='PAM session open: user=generaluser exe="/usr/sbin/ sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=CRED_REFR msg=audit(08/19/05 17:42:22.912:14185791) : user pid=8561 uid=root auid=generaluser msg='PAM setcred: user=generaluser exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_AUTH msg=audit(08/19/05 17:42:42.872:14206388) : user pid=8580 uid=root auid=unknown(4294967295) msg='PAM authentication: user=root exe="/usr/sbi n/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_ACCT msg=audit(08/19/05 17:42:42.872:14206439) : user pid=8580 uid=root auid=unknown(4294967295) msg='PAM accounting: user=root exe="/usr/sbin/ss hd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=CRED_ACQ msg=audit(08/19/05 17:42:42.874:14206571) : user pid=8580 uid=root auid=unknown(4294967295) msg='PAM setcred: user=root exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_START msg=audit(08/19/05 17:42:42.876:14206712) : user pid=8582 uid=root auid=root msg='PAM session open: user=root exe="/usr/sbin/sshd" (hostnam e=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=CRED_REFR msg=audit(08/19/05 17:42:42.876:14206736) : user pid=8582 uid=root auid=root msg='PAM setcred: user=root exe="/usr/sbin/sshd" (hostname=loca lhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=CRED_DISP msg=audit(08/19/05 17:42:42.923:14208276) : user pid=8580 uid=root auid=unknown(4294967295) msg='PAM setcred: user=root exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'


Additional info:
Comment 1 Steve Grubb 2005-08-19 22:09:34 UTC 
This problem is probably caused by the session cleanup being handled by the
child and it not having enough privileges to write to the audit netlink socket.
The results are different when logging in as a normal user and when logging in
as root. When root, you get the CRED_DISP message, but not when you are a common
user.
Comment 2 Tomas Mraz 2005-08-22 08:36:21 UTC 
This would require many changes in sshd's handling of PAM calls and it must be
done upstream first.
See http://bugzilla.mindrot.org/show_bug.cgi?id=926