Red Hat Bugzilla – Bug 1550135
Failed logging attempts are not audited / logged
Last modified: 2018-05-15 13:50:39 EDT
1. What is the nature and description of the request? The Events tab is no longer displaying expected events. When a user has failed to enter password into account or locked account/expired password, these are not in the events tab like have been in the past versions. 2. Why does the customer need this? (List the business requirements here) This creates a problem as many of the DataCenter administrators and RHV-M administrators do not have access to SSH to view the content in the engine.log file. 3. How would the customer like to achieve this? (List the functional requirements here) Restore what was in RHEV 3.x, displaying the ‘[Date] User admin@internal failed to log in.’ in the Events log. What normally displayed in the "Events" tab of the WebUI was the end of the error message: "Cannot authenticate user 'User@Domain’: The username or password is incorrect.”
Is this a bug or feature request?
There's big difference between 3.6 and 4.x around authentication: 3.6 - authentication is part of the engine, that's why login errors are logged also to audit log 4.x - authentication was moved into standalone SSO module, which don't have access into engine internals such as audit log, that's why login errors are no longer available in audit log But AFAIK all such errors are displayed in UI, so users can see those login errors. Anyway, Ravi could you please go over above uses case and attach screenshots with messages displayed in the UI?
(In reply to Martin Perina from comment #4) > There's big difference between 3.6 and 4.x around authentication: > > 3.6 - authentication is part of the engine, that's why login errors are > logged also to audit log > > 4.x - authentication was moved into standalone SSO module, which don't have > access into engine internals such as audit log, that's why login errors are > no longer available in audit log > > But AFAIK all such errors are displayed in UI, so users can see those login > errors. Anyway, Ravi could you please go over above uses case and attach > screenshots with messages displayed in the UI? Even if they are displayed in the UI, if they are not available in the events, it means they cannot be audited. We need to add them.
(In reply to Martin Perina from comment #4) > There's big difference between 3.6 and 4.x around authentication: > > 3.6 - authentication is part of the engine, that's why login errors are > logged also to audit log > > 4.x - authentication was moved into standalone SSO module, which don't have > access into engine internals such as audit log, that's why login errors are > no longer available in audit log > > But AFAIK all such errors are displayed in UI, so users can see those login > errors. Anyway, Ravi could you please go over above uses case and attach > screenshots with messages displayed in the UI? You are right, sorry I forgot to add this information yesterday, the errors are being shown in the UI login page, the issue is that it is not being shown in the events tab nor in the audit_log table.
Created attachment 1402502 [details] UI message when user does not exist
Created attachment 1402503 [details] UI message when entered wrong password
Created attachment 1402504 [details] UI message when account is disabled or locked
(In reply to Yaniv Kaul from comment #5) > (In reply to Martin Perina from comment #4) > > There's big difference between 3.6 and 4.x around authentication: > > > > 3.6 - authentication is part of the engine, that's why login errors are > > logged also to audit log > > > > 4.x - authentication was moved into standalone SSO module, which don't have > > access into engine internals such as audit log, that's why login errors are > > no longer available in audit log > > > > But AFAIK all such errors are displayed in UI, so users can see those login > > errors. Anyway, Ravi could you please go over above uses case and attach > > screenshots with messages displayed in the UI? > > Even if they are displayed in the UI, if they are not available in the > events, it means they cannot be audited. We need to add them. Yes, because SSO module is independent of engine. This is the same for example if user if is not able able to authenticate using kerberos or SAML, authentication is performed outside engine and we will never receive information about those issues into audit log. Also for LDAP users we are only passing those errors from LDAP servers, so all those messages should be visible in LDAP logs and should be auditable from there. So not sure we really need to create SSO module to engine audit_log interface ...
So where can we see non-Kerberos/LDAP failed login attempts that an admin can monitor? Any log file would be great.
This is not a regression, SSO module was designed as independent of engine from the beginning. As mentioned in comment 10 if auditing is needed for username/password authentication, then LDAP server auditing should be used. This is the same use case as already used for Kerberos/SAML authentication, where auditing needs to be taken from Kerberos/SAML infrastructure and not from engine. All incorrect password, non-existent users and account locked/disabled errors should be visible in LDAP logs. Ravi, could you please attach examples of those errors for some LDAP setup you have available?
Created attachment 1403988 [details] Openldap log Attaching openldap logs The result of a login is in the err field of the log. The error codes are described on openldap website [1] Below is an example of invalid credentials login attempt. The error code is 49 which corresponds to invalidCredentials (49) in [1] Mar 4 14:38:31 openldap slapd[13389]: conn=1007 op=3 BIND dn="uid=user2,ou=People,dc=openldap,dc=com" method=128 Mar 4 14:38:31 openldap slapd[13389]: conn=1007 op=3 RESULT tag=97 err=49 text= [1] https://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html
We have found a way how to pass login error messages from SSO to engine without making SSO module dependent on engine, so for all username/password based authentication errors we can store them to audit log. But if kerberos/SAML authentication is configured, we have no way how to pass those errors to engine. So in those use cases specific kerberos/SAML servers features need to be used to audit login errors.
Failing login for internal users (with different reasons) generates event in engine. verified in ovirt-engine-4.2.3.2-0.1.el7.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:1488