208838 – Not logging newrole errors as USER_ROLE_CHANGE

Bug 208838 - Not logging newrole errors as USER_ROLE_CHANGE

Summary: Not logging newrole errors as USER_ROLE_CHANGE

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	policycoreutils
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-10-02 11:00 UTC by Bastien Nocera
Modified:	2007-11-30 22:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	beta2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-12-23 00:58:20 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch fixing problems described herein (546 bytes, patch) 2006-10-19 18:41 UTC, Steve Grubb	no flags	Details \| Diff
View All

Description Bastien Nocera 2006-10-02 11:00:53 UTC

policycoreutils-1.30.17-7

As a test user:
$ newrole -r system_r
Authenticating root.
Password:
newrole: incorrect password for root

In audit.log:
type=USER_AUTH msg=audit(1159034947.964:259): user pid=13388 uid=500 auid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c255 msg='PAM: authentication acct=root
: exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/1 res=failed)'

This should be USER_ROLE_CHANGE, rather than USER_AUTH

Comment 1 Daniel Walsh 2006-10-05 13:43:37 UTC

I don't agree, since you are failing on the login versus failing on the changing
of the role.

Steve what do you think?

Comment 2 Steve Grubb 2006-10-05 14:00:15 UTC

All use of authentication mechanism must be audited. The event above is
correctly attributing a failed use of that facility. This does not preclude
another event being generated by newrole that says USER_ROLE_CHANGE failed. As a
matter of fact, I think Mike was working on a patch that does just this.

Comment 3 Steve Grubb 2006-10-19 18:41:12 UTC

Created attachment 138894 [details]
patch fixing problems described herein

This patch adds an audit message when the password is incorrect. Please Apply.

Comment 5 RHEL Program Management 2006-10-19 20:02:18 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.

Comment 7 Daniel Walsh 2006-10-20 13:54:26 UTC

Fixed in policycoreutils-1.32-1

Comment 9 Jay Turner 2006-11-22 17:43:24 UTC

With policycoreutils-1.33.1-7.el5 I'm not seeing a change:

type=USER_AUTH msg=audit(1164217171.511:362): user pid=4619 uid=0 auid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/0 res=failed)'
type=USER_ACCT msg=audit(1164217201.031:363): user pid=4622 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
accounting acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
res=success)'

Comment 10 Daniel Walsh 2006-11-28 15:41:32 UTC

Fixed in policycoreutils-1.33.5-1

Comment 11 RHEL Program Management 2006-12-23 00:58:20 UTC

A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.