Bug 1550135 - Failed logging attempts are not audited / logged
Summary: Failed logging attempts are not audited / logged
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.1.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.2.3
: ---
Assignee: Ravi Nori
QA Contact: Lucie Leistnerova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-28 15:30 UTC by schandle
Modified: 2019-05-16 13:03 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Failed login attempts now appear in the audit log, with details and the user name that failed to log in.
Clone Of:
Environment:
Last Closed: 2018-05-15 17:48:31 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)
UI message when user does not exist (20.20 KB, image/jpeg)
2018-03-01 12:59 UTC, Javier Coscia
no flags Details
UI message when entered wrong password (17.71 KB, image/jpeg)
2018-03-01 13:00 UTC, Javier Coscia
no flags Details
UI message when account is disabled or locked (20.81 KB, image/jpeg)
2018-03-01 13:00 UTC, Javier Coscia
no flags Details
Openldap log (223.34 KB, text/plain)
2018-03-04 19:58 UTC, Ravi Nori
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3376981 0 None None None 2018-03-09 22:43:26 UTC
Red Hat Product Errata RHEA-2018:1488 0 None None None 2018-05-15 17:50:38 UTC
oVirt gerrit 89259 0 master MERGED aaa: Failed logging attempts are not audited / logged 2018-04-09 10:23:59 UTC
oVirt gerrit 90061 0 ovirt-engine-4.2 POST aaa: Failed logging attempts are not audited / logged 2018-04-10 13:19:01 UTC

Description schandle 2018-02-28 15:30:30 UTC
1. What is the nature and description of the request?
   
   The Events tab is no longer displaying expected events.  When a user has failed to enter password into account or locked account/expired password, these are not in the events tab like have been in the past versions.  


2. Why does the customer need this? (List the business requirements here)

   This creates a problem as many of the DataCenter administrators and RHV-M administrators do not have access to SSH to view the content in the engine.log file.

3. How would the customer like to achieve this? (List the functional requirements here)

   Restore what was in RHEV 3.x, displaying the ‘[Date] User admin@internal failed to log in.’ in the Events log.  What normally displayed in the "Events" tab of the WebUI was the end of the error message: "Cannot authenticate user 'User@Domain’: The username or password is incorrect.”

Comment 1 Yaniv Kaul 2018-02-28 16:04:06 UTC
Is this a bug or feature request?

Comment 4 Martin Perina 2018-03-01 08:51:47 UTC
There's big difference between 3.6 and 4.x around authentication:

3.6 - authentication is part of the engine, that's why login errors are logged also to audit log

4.x - authentication was moved into standalone SSO module, which don't have access into engine internals such as audit log, that's why login errors are no longer available in audit log

But AFAIK all such errors are displayed in UI, so users can see those login errors. Anyway, Ravi could you please go over above uses case and attach screenshots with messages displayed in the UI?

Comment 5 Yaniv Kaul 2018-03-01 08:56:41 UTC
(In reply to Martin Perina from comment #4)
> There's big difference between 3.6 and 4.x around authentication:
> 
> 3.6 - authentication is part of the engine, that's why login errors are
> logged also to audit log
> 
> 4.x - authentication was moved into standalone SSO module, which don't have
> access into engine internals such as audit log, that's why login errors are
> no longer available in audit log
> 
> But AFAIK all such errors are displayed in UI, so users can see those login
> errors. Anyway, Ravi could you please go over above uses case and attach
> screenshots with messages displayed in the UI?

Even if they are displayed in the UI, if they are not available in the events, it means they cannot be audited. We need to add them.

Comment 6 Javier Coscia 2018-03-01 12:58:25 UTC
(In reply to Martin Perina from comment #4)
> There's big difference between 3.6 and 4.x around authentication:
> 
> 3.6 - authentication is part of the engine, that's why login errors are
> logged also to audit log
> 
> 4.x - authentication was moved into standalone SSO module, which don't have
> access into engine internals such as audit log, that's why login errors are
> no longer available in audit log
> 
> But AFAIK all such errors are displayed in UI, so users can see those login
> errors. Anyway, Ravi could you please go over above uses case and attach
> screenshots with messages displayed in the UI?

You are right, sorry I forgot to add this information yesterday, the errors are being shown in the UI login page, the issue is that it is not being shown in the events tab nor in the audit_log table.

Comment 7 Javier Coscia 2018-03-01 12:59:29 UTC
Created attachment 1402502 [details]
UI message when user does not exist

Comment 8 Javier Coscia 2018-03-01 13:00:09 UTC
Created attachment 1402503 [details]
UI message when entered wrong password

Comment 9 Javier Coscia 2018-03-01 13:00:40 UTC
Created attachment 1402504 [details]
UI message when account is disabled or locked

Comment 10 Martin Perina 2018-03-01 13:19:52 UTC
(In reply to Yaniv Kaul from comment #5)
> (In reply to Martin Perina from comment #4)
> > There's big difference between 3.6 and 4.x around authentication:
> > 
> > 3.6 - authentication is part of the engine, that's why login errors are
> > logged also to audit log
> > 
> > 4.x - authentication was moved into standalone SSO module, which don't have
> > access into engine internals such as audit log, that's why login errors are
> > no longer available in audit log
> > 
> > But AFAIK all such errors are displayed in UI, so users can see those login
> > errors. Anyway, Ravi could you please go over above uses case and attach
> > screenshots with messages displayed in the UI?
> 
> Even if they are displayed in the UI, if they are not available in the
> events, it means they cannot be audited. We need to add them.

Yes, because SSO module is independent of engine. This is the same for example if user if is not able able to authenticate using kerberos or SAML, authentication is performed outside engine and we will never receive information about those issues into audit log.

Also for LDAP users we are only passing those errors from LDAP servers, so all those messages should be visible in LDAP logs and should be auditable from there.

So not sure we really need to create SSO module to engine audit_log interface ...

Comment 12 Yaniv Kaul 2018-03-02 19:41:56 UTC
So where can we see non-Kerberos/LDAP failed login attempts that an admin can monitor? Any log file would be great.

Comment 13 Martin Perina 2018-03-02 19:57:49 UTC
This is not a regression, SSO module was designed as independent of engine from the beginning. As mentioned in comment 10 if auditing is needed for username/password authentication, then LDAP server auditing should be used. This is the same use case as already used for Kerberos/SAML authentication, where auditing needs to be taken from Kerberos/SAML infrastructure and not from engine.

All incorrect password, non-existent users and account locked/disabled errors should be visible in LDAP logs. 
Ravi, could you please attach examples of those errors for some LDAP setup you have available?

Comment 14 Ravi Nori 2018-03-04 19:58:47 UTC
Created attachment 1403988 [details]
Openldap log

Attaching openldap logs

The result of a login is in the err field of the log. The error codes are described on openldap website [1]

Below is an example of invalid credentials login attempt. The error code is 49 which corresponds to invalidCredentials (49) in [1]

Mar  4 14:38:31 openldap slapd[13389]: conn=1007 op=3 BIND dn="uid=user2,ou=People,dc=openldap,dc=com" method=128
Mar  4 14:38:31 openldap slapd[13389]: conn=1007 op=3 RESULT tag=97 err=49 text=

[1] https://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html

Comment 16 Martin Perina 2018-03-21 10:51:04 UTC
We have found a way how to pass login error messages from SSO to engine without making SSO module dependent on engine, so for all username/password based authentication errors we can store them to audit log.

But if kerberos/SAML authentication is configured, we have no way how to pass those errors to engine. So in those use cases specific kerberos/SAML servers features need to be used to audit login errors.

Comment 19 Lucie Leistnerova 2018-04-20 10:51:15 UTC
Failing login for internal users (with different reasons) generates event in engine.

verified in ovirt-engine-4.2.3.2-0.1.el7.noarch

Comment 23 errata-xmlrpc 2018-05-15 17:48:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:1488

Comment 24 Franta Kust 2019-05-16 13:03:22 UTC
BZ<2>Jira Resync


Note You need to log in before you can comment on or make changes to this bug.