Hide Forgot
Description of problem: Customer would like to know when user login, logout or try to log without success via webUI Version-Release number of selected component (if applicable): 5.7 How reproducible: 100% Steps to Reproduce: 1. login via webUI 2. Looking for any information about login (/var/log/*) 3. Actual results: Nothing about users login, this happen only when using external authentication, so the output will be redirect to /var/log/secure Expected results: See information about users doing login, logout and tentative without success. Additional info:
Well, basically it's not a problem to add couple of login events into the log file. But I'm not sure, such a log is good enough for audit purposes. It would make sense to log unsuccessful login attempts anyway, as I either do not expect too many of them or in case there are too many, it's good to have a record of that. Regarding logout events - it's possible to log the event in case the user really signs out. In case he does not and his session expires, the outdated session will be cleaned up by taskomatic, that logs into a separate file. So, basically I'm for logging unsuccessful logins attempts, not really sure about the rest. A possible solution is to enable audit logging feature for the PXTSessions table, but only after insert and delete (*not* update - not to log all requests that extend the session lifetime), what the feature isn't ready for. More ideas from engineering welcome.
Hi Tomas, The big point here should be login events and unsuccessful login, customer got some issue when configuring the PAM module to do external authentication, by default, the pam will generate the information in /var/log/secure, but when login with local account, we can't see any record, so in the customer case, when trying to login using the external account, didn't generate any info on secure file and he asked me "ok, as we can see, it's not logging via external auth, but satellite is trying to authenticate locally ?!" and imho should be very interesting one log information saying like *user xpto login - local account* or *user xpto login - external account*, because this the necessity of enable the login history on the log file. About unsuccessful logins, is about brute force, the same user have Satellite on the internet and he would like to know if someone from internet is trying to do a brute force on his server, actually is not possible to get this information. About logout, no problem, should be only to map when customer did the logout, but is not so important. Best Regards -- Waldirio M Pinheiro | Senior Software Maintenance Engineer
spacewalk.github: 327326e5896d108e7f3dfc7454721005095e4e3b log.info() added to LoginAction and LogoutAction. Folllowing log4j settings: === # Logging for login-attempts log4j.logger.com.redhat.rhn.frontend.action.LoginAction=INFO log4j.logger.com.redhat.rhn.frontend.action.LogoutAction=INFO === added to /usr/share/tomcat6/webapps/rhn/WEB-INF/classes/log4j.properties results in output like the following in /var/log/tomcat6/catalina.out: === 2016-11-04 10:19:27,315 [TP-Processor2] INFO com.redhat.rhn.frontend.action.LoginAction - LOCAL AUTH SUCCESS: [admin] 2016-11-04 10:19:34,133 [TP-Processor5] INFO com.redhat.rhn.frontend.action.LogoutAction - WEB LOGOUT: [admin] 2016-11-04 10:19:47,544 [TP-Processor10] INFO com.redhat.rhn.frontend.action.LoginAction - LOCAL AUTH FAILURE: [admin1] 2016-11-04 10:23:04,364 [TP-Processor3] INFO com.redhat.rhn.frontend.action.LoginAction - LOCAL AUTH SUCCESS: [admin] === If external-auth works, output looks like === INFO com.redhat.rhn.frontend.action.LoginAction - EXTERNAL AUTH SUCCESS: [<login>] ===
Note: Satellite's public API also authenticates. These attempts are already logged by the LoggingInvocationProcessor into /var/log/rhn/rhn_web_api.log; entries look like this: === [2016-11-04 14:24:28,716] INFO - REQUESTED FROM: 10.13.137.180 CALL: auth.login(admin, ********) CALLER: (none) TIME: 0.104 seconds [2016-11-04 14:38:30,470] ERROR - REQUESTED FROM: 10.13.137.180 CALL: auth.login(admin1, ********) CALLER: (none) TIME: 2.009 seconds redstone.xmlrpc.XmlRpcFault: Either the password or username is incorrect. at com.redhat.rhn.frontend.xmlrpc.BaseHandler.invoke(BaseHandler.java:203) ... ===
When I use PAM authentication (tested with pam_permit.so), the message says "LOCAL AUTH SUCCESS". Should PAM be considered LOCAL?
Note: Authentication using FreeIPA results in (correct) "EXTERNAL AUTH SUCCESS".
All the code knows/can-know, is that User user = LoginHelper.checkExternalAuthentication(request, messages, errors); returned 'null'. As far as the LoginAction is concerned, PAM login looks local.
I know, I have looked into code, too. However, calling PAM authentication "local" in a log file seems confusing to me to say the least.
PAM users look local to Sat5. I don't believe there's any way for the code to tell the difference between PAM-auth and 'internal Sat5' auth.
Verified on Sat 5.8 compose from 2016-11-29. Tested by logging in and out while catting the log. Used authentication against local DB, PAM and FreeIPA. Note that authentication using PAM is logged as "local". However, this is OK according to devel.