Bug 563208

Summary: ausearch fails to parse PAM messages
Product: Red Hat Enterprise Linux 4 Reporter: Olivier Fourdan <ofourdan>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.9CC: ebenes, jwest, kem, omoris, plyons, sgrubb, tao
Target Milestone: rcKeywords: Patch, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-0.77-66.28.el4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-14 20:58:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 596379    
Attachments:
Description Flags
Proposed patch none

Description Olivier Fourdan 2010-02-09 15:15:23 UTC 
Created attachment 389772 [details]
Proposed patch

Description of problem:

This bug is a follow-up of bug 510478 reported for audit.

audit-1.0.15 introduced a change to interpret data withing the "msg=" filed
that breaks with some messages, when the result string contains a space.

However, it appears that the result string should not contain a space in the first place, so the root of the problem is in pam and not in audit.

Version-Release number of selected component (if applicable):

pam-0.77-66.26.el4_8.1
audit-1.0.16-4.el4_8.1

How reproducible:

Always

Steps to Reproduce:
1. Install audit 1.0.16 on el4
2. Try to ssh to the system with a wrong passwd to generate a PAM
authentication failure
3. ausearch -i -m USER_AUTH

Actual results:

----
type=USER_AUTH msg=audit(07/09/2009 00:37:22.787:13) : user pid=5098 uid=root 
auid=unset msg='PAM authentication: user=ofourdan exe=/usr/sbin/sshd 
(hostname=localhost.localdomain  addr=127.0.0.1  terminal=ssh 
result=Authentication 
----

(Notice that the line is truncated, it's missing " failure)'"

Expected results:

----
type=USER_AUTH msg=audit(07/09/2009 00:37:22.787:13) : user pid=5098 uid=root 
auid=unset msg='PAM authentication: user=ofourdan exe=/usr/sbin/sshd 
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh 
result=failed)' 
----

Additional info:

The problem comes from a discrepancy between what ausearch expects to parse and what PAM actually logs.

A fix for audit to parse the output containing a space was rejected, so the fix needs to go into PAM.

The proposed patch here attached will log "failed" or "success" instead of the string returned by pam_strerror() which may contain spaces.

This makes PAM behave more like recent versions of PAM (and thus ausearch can parse its output).

The risk I see here is if our customers have implemented customer parsing scripts to check for the original messages (e.g "Authentication failure"), however, I see no simple way to keep such messages from PAM without changing audit, which is not possible.