From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 Description of problem: We need a message added to gdm to show the fact that a login was attempted and what the results are. Its possible under the current system but very clumsy to figure out logins. This is not conducive to writing automatic reporting tools Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. login 2. look in audit logs for message Actual Results: You get a pam session open message. cron also opens pam session and doesn't login, so its hard to spot logins when looking for success/fail with current audit tools. Additional info: I will provide a small patch that fixes this.
Created attachment 120057 [details] Patch to add login success/fail messages to audit system The attached patch adds the audit login success/fail messages. It was generated against gdm-2.6.0.5-7.rhel4.6. If the patch looks good to you, I would apply it to rawhide to get a little user community testing on it. The spec file will need BuildRequires: audit-libs-devel >= 1.0.6 added to it.
Hi Steve, A few comments... - We want to get this upstreamed if possible. It means we won't have to keep repatching things for RHEL-5, RHEL-6, each new package version bump in rawhide, etc... - If we're going to get this upstreamed it's going to need to be conditionally compiled in. That means checking for the audit libs during configure and wrapping things in #ifdef HAVE_AUDIT, etc... The upstream maintainer of GDM works for Sun, so there's no way he's going to take a patch that won't build for him :-) - Speaking of Sun, it looks like Solaris has something similiar called ADT? There is some overlap in the code that you add and what happens in HAVE_ADT. It might be interesting to refactor things a bit to reduce repetitive code. But then again, GDM is full or repetitive code so that's probably not a huge deal. - Rather than logging in the failure clause after each pam call, why not just do it once after the pamerr: label at the bottom of the gdm_verify_user? - In general, GDM uses gboolean instead of int for booleans. Feel free to rebuild gdm in rawhide with whatever patches you want. Just make sure things aren't too broken by Test1 (devel freeze is on the 31st).
Thanks for the feedback. 2 - I was thinking about adding autoconf code to do the conditional compilation. Should it be done automaticall or should it require --with-audit ? Each project seems to have a preference. 3 - Not sure about ADT. 4 - I thought about that, but there are many cases where pam potentially fails and its not the user's fault. I wanted to keep those cases out of the failed logs so that we only have failed records when people are failing authentication or otherwise forbidden to login. This makes it easier to spot accounts that are being hacked. Maybe I should add something regarding the intent to comments at the beginning of the logging function.
- I'd say just copy, paste, and tweak whatever is done for adt in configure.in. Since it's already upstream, it presumably is being done the way upstream wants it. - Might be a good idea to just have a short blurb mentioning the types of failures that should get sent to the audit logs.
Created attachment 120088 [details] New version of patch to add login audot messages This patch has some cleanups mentioned in the bug report.
Hi Steve, Thanks. I've got to do another rebuild anyway for a different bug, so I'll just hold off.
audit-1.0.12 is now supposed to be in the RHEL4 build root. Please update any Requires or BuildRequires to that version. Let me know if you have any problems.
Okay, rebuilt with Requires: audit-1.0.12 and BuildRequires: audit-libs-devel-1.0.12 marking MODIFIED
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0120.html