Bug 166379 - ssh does not generate audit messages when ssh session closes
ssh does not generate audit messages when ssh session closes
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks: 216689
  Show dependency treegraph
 
Reported: 2005-08-19 17:51 EDT by rob
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-22 04:36:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description rob 2005-08-19 17:51:35 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Red Hat/1.0.6-1.4.1 Firefox/1.0.6

Description of problem:
i expect a USER_END message for each USER_START message in the audit log, but no USER_END is logged for an ssh session.

Version-Release number of selected component (if applicable):
openssh-4.1p1-3.1

How reproducible:
Always

Steps to Reproduce:
[root@localhost ~]# TS=`date '+%D %T'`
[root@localhost ~]# ssh generaluser@localhost id -a
generaluser@localhost's password:
uid=501(generaluser) gid=501(generaluser) groups=501(generaluser) context=user_u:system_r:unconfined_t
[root@localhost ~]# ssh root@localhost id -a
root@localhost's password:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t
[root@localhost ~]# ausearch -i -ts $TS -x sshd
----
type=USER_AUTH msg=audit(08/19/05 17:42:22.868:14185489) : user pid=8559 uid=root auid=unknown(4294967295) msg='PAM authentication: user=generaluser exe="/ usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_ACCT msg=audit(08/19/05 17:42:22.869:14185540) : user pid=8559 uid=root auid=unknown(4294967295) msg='PAM accounting: user=generaluser exe="/usr/ sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_START msg=audit(08/19/05 17:42:22.886:14185759) : user pid=8561 uid=root auid=generaluser msg='PAM session open: user=generaluser exe="/usr/sbin/ sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=CRED_REFR msg=audit(08/19/05 17:42:22.912:14185791) : user pid=8561 uid=root auid=generaluser msg='PAM setcred: user=generaluser exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_AUTH msg=audit(08/19/05 17:42:42.872:14206388) : user pid=8580 uid=root auid=unknown(4294967295) msg='PAM authentication: user=root exe="/usr/sbi n/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_ACCT msg=audit(08/19/05 17:42:42.872:14206439) : user pid=8580 uid=root auid=unknown(4294967295) msg='PAM accounting: user=root exe="/usr/sbin/ss hd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=CRED_ACQ msg=audit(08/19/05 17:42:42.874:14206571) : user pid=8580 uid=root auid=unknown(4294967295) msg='PAM setcred: user=root exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=USER_START msg=audit(08/19/05 17:42:42.876:14206712) : user pid=8582 uid=root auid=root msg='PAM session open: user=root exe="/usr/sbin/sshd" (hostnam e=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=CRED_REFR msg=audit(08/19/05 17:42:42.876:14206736) : user pid=8582 uid=root auid=root msg='PAM setcred: user=root exe="/usr/sbin/sshd" (hostname=loca lhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'
----
type=CRED_DISP msg=audit(08/19/05 17:42:42.923:14208276) : user pid=8580 uid=root auid=unknown(4294967295) msg='PAM setcred: user=root exe="/usr/sbin/sshd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh result=Success)'


Additional info:
Comment 1 Steve Grubb 2005-08-19 18:09:34 EDT
This problem is probably caused by the session cleanup being handled by the
child and it not having enough privileges to write to the audit netlink socket.
The results are different when logging in as a normal user and when logging in
as root. When root, you get the CRED_DISP message, but not when you are a common
user.
Comment 2 Tomas Mraz 2005-08-22 04:36:21 EDT
This would require many changes in sshd's handling of PAM calls and it must be
done upstream first.
See http://bugzilla.mindrot.org/show_bug.cgi?id=926

Note You need to log in before you can comment on or make changes to this bug.