Bug 170569 - [RHEL4] gdm should log to auditd when a user fails authentication or is forbidden to login
[RHEL4] gdm should log to auditd when a user fails authentication or is forbi...
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: gdm (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
Mike McLean
Depends On: 170495
Blocks: 168429
  Show dependency treegraph
Reported: 2005-10-12 18:09 EDT by Steve Grubb
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2006-0120
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-07 13:52:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to add login success/fail messages to audit system (3.84 KB, patch)
2005-10-17 09:12 EDT, Steve Grubb
no flags Details | Diff
New version of patch to add login audot messages (5.61 KB, patch)
2005-10-17 17:27 EDT, Steve Grubb
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2006:0120 qe-ready SHIPPED_LIVE gdm bug fix update 2006-03-06 00:00:00 EST

  None (edit)
Description Steve Grubb 2005-10-12 18:09:52 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
We need a message added to gdm to show the fact that a login was attempted and what the results are. Its possible under the current system but very clumsy to figure out logins. This is not conducive to writing automatic reporting tools

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. login
2. look in audit logs for message

Actual Results:  You get a pam session open message. cron also opens pam session and doesn't login, so its hard to spot logins when looking for success/fail with current audit tools.

Additional info:

I will provide a small patch that fixes this.
Comment 2 Steve Grubb 2005-10-17 09:12:10 EDT
Created attachment 120057 [details]
Patch to add login success/fail messages to audit system

The attached patch adds the audit login success/fail messages. It was generated
against gdm- If the patch looks good to you, I would apply it
to rawhide to get a little user community testing on it. The spec file will
need BuildRequires: audit-libs-devel >= 1.0.6 added to it.
Comment 3 Ray Strode [halfline] 2005-10-17 12:08:17 EDT
Hi Steve,

A few comments...

- We want to get this upstreamed if possible.  It means we won't have to keep
repatching things for RHEL-5, RHEL-6, each new package version bump in rawhide,

- If we're going to get this upstreamed it's going to need to be conditionally
compiled in. That means checking for the audit libs during configure and
wrapping things in #ifdef HAVE_AUDIT, etc...  The upstream maintainer of GDM
works for Sun, so there's no way he's going to take a patch that won't build for
him :-)

- Speaking of Sun, it looks like Solaris has something similiar called ADT? 
There is some overlap in the code that you add and what happens in HAVE_ADT.  It
might be interesting to refactor things a bit to reduce repetitive code.  But
then again, GDM is full or repetitive code so that's probably not a huge deal.  

- Rather than logging in the failure clause after each pam call, why not just do
it once after the pamerr: label at the bottom of the gdm_verify_user?

- In general, GDM uses gboolean instead of int for booleans.

Feel free to rebuild gdm in rawhide with whatever patches you want.  Just make
sure things aren't too broken by Test1 (devel freeze is on the 31st).
Comment 4 Steve Grubb 2005-10-17 12:29:46 EDT
Thanks for the feedback.

2 - I was thinking about adding autoconf code to do the conditional compilation.
Should it be done automaticall or should it require --with-audit ? Each project
seems to have a preference.

3 - Not sure about ADT.

4 - I thought about that, but there are many cases where pam potentially fails
and its not the user's fault. I wanted to keep those cases out of the failed
logs so that we only have failed records when people are failing authentication
or otherwise forbidden to login. This makes it easier to spot accounts that are
being hacked. Maybe I should add something regarding the intent to comments at
the beginning of the logging function.
Comment 5 Ray Strode [halfline] 2005-10-17 13:13:13 EDT
- I'd say just copy, paste, and tweak whatever is done for adt in configure.in.
 Since it's already upstream, it presumably is being done the way upstream wants it.

- Might be a good idea to just have a short blurb mentioning the types of
failures that should get sent to the audit logs.
Comment 6 Steve Grubb 2005-10-17 17:27:28 EDT
Created attachment 120088 [details]
New version of patch to add login audot messages

This patch has some cleanups mentioned in the bug report.
Comment 12 Ray Strode [halfline] 2005-11-09 18:07:42 EST
Hi Steve,

Thanks.  I've got to do another rebuild anyway for a different bug, so I'll just
hold off.
Comment 13 Steve Grubb 2005-11-21 13:26:27 EST
audit-1.0.12 is now supposed to be in the RHEL4 build root. Please update any
Requires or BuildRequires to that version. Let me know if you have any problems.
Comment 14 Ray Strode [halfline] 2005-12-02 02:36:48 EST
Okay, rebuilt with

Requires: audit-1.0.12
BuildRequires: audit-libs-devel-1.0.12

marking MODIFIED
Comment 18 Red Hat Bugzilla 2006-03-07 13:52:08 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.