Red Hat Bugzilla – Bug 170569
[RHEL4] gdm should log to auditd when a user fails authentication or is forbidden to login
Last modified: 2007-11-30 17:07:21 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7
Description of problem:
We need a message added to gdm to show the fact that a login was attempted and what the results are. Its possible under the current system but very clumsy to figure out logins. This is not conducive to writing automatic reporting tools
Version-Release number of selected component (if applicable):
Steps to Reproduce:
2. look in audit logs for message
Actual Results: You get a pam session open message. cron also opens pam session and doesn't login, so its hard to spot logins when looking for success/fail with current audit tools.
I will provide a small patch that fixes this.
Created attachment 120057 [details]
Patch to add login success/fail messages to audit system
The attached patch adds the audit login success/fail messages. It was generated
against gdm-188.8.131.52-7.rhel4.6. If the patch looks good to you, I would apply it
to rawhide to get a little user community testing on it. The spec file will
need BuildRequires: audit-libs-devel >= 1.0.6 added to it.
A few comments...
- We want to get this upstreamed if possible. It means we won't have to keep
repatching things for RHEL-5, RHEL-6, each new package version bump in rawhide,
- If we're going to get this upstreamed it's going to need to be conditionally
compiled in. That means checking for the audit libs during configure and
wrapping things in #ifdef HAVE_AUDIT, etc... The upstream maintainer of GDM
works for Sun, so there's no way he's going to take a patch that won't build for
- Speaking of Sun, it looks like Solaris has something similiar called ADT?
There is some overlap in the code that you add and what happens in HAVE_ADT. It
might be interesting to refactor things a bit to reduce repetitive code. But
then again, GDM is full or repetitive code so that's probably not a huge deal.
- Rather than logging in the failure clause after each pam call, why not just do
it once after the pamerr: label at the bottom of the gdm_verify_user?
- In general, GDM uses gboolean instead of int for booleans.
Feel free to rebuild gdm in rawhide with whatever patches you want. Just make
sure things aren't too broken by Test1 (devel freeze is on the 31st).
Thanks for the feedback.
2 - I was thinking about adding autoconf code to do the conditional compilation.
Should it be done automaticall or should it require --with-audit ? Each project
seems to have a preference.
3 - Not sure about ADT.
4 - I thought about that, but there are many cases where pam potentially fails
and its not the user's fault. I wanted to keep those cases out of the failed
logs so that we only have failed records when people are failing authentication
or otherwise forbidden to login. This makes it easier to spot accounts that are
being hacked. Maybe I should add something regarding the intent to comments at
the beginning of the logging function.
- I'd say just copy, paste, and tweak whatever is done for adt in configure.in.
Since it's already upstream, it presumably is being done the way upstream wants it.
- Might be a good idea to just have a short blurb mentioning the types of
failures that should get sent to the audit logs.
Created attachment 120088 [details]
New version of patch to add login audot messages
This patch has some cleanups mentioned in the bug report.
Thanks. I've got to do another rebuild anyway for a different bug, so I'll just
audit-1.0.12 is now supposed to be in the RHEL4 build root. Please update any
Requires or BuildRequires to that version. Let me know if you have any problems.
Okay, rebuilt with
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.