Bug 443432 - gnome-screensaver doesn't audit failed unlock attempts
gnome-screensaver doesn't audit failed unlock attempts
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
9
All Linux
low Severity high
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-21 11:06 EDT by LC Bruzenak
Modified: 2008-06-06 13:26 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-06 11:09:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description LC Bruzenak 2008-04-21 11:06:46 EDT
Description of problem:
The gnome-screensaver does not audit failed unlock attempts.

Version-Release number of selected component (if applicable):
gnome-screensaver-2.22.1-1.fc9.i386

How reproducible:
always

Steps to Reproduce:
1.Login
2.Lock screen
3.enter bogus password
4. Search audit log for failed attempt (ausearch -i -x gnome-screensaver)
5. Ideally this would yield the answer I think:
ausearch -i -x gnome-screensaver -sv no
  
Actual results:
There are no "screen unlock" failures

Expected results:
There should be "screen unlock" failures

Additional info:
There are several audit events for the screensaver; you may need to pipe output
to grep "lock". Depending on Steve Grubb's advice I may file another bz to cover
those.
Comment 1 LC Bruzenak 2008-05-05 12:07:37 EDT
From looking at the priority field description I believe it should be changed to
high; maybe normal at the least. But since this is a loss of data deemed to be
security-relevant I believe it needs a higher priority if not also severity. 
The fix isn't urgently needed, but I'd like to see it addressed in the near
future if possible.
Comment 2 Bug Zapper 2008-05-14 05:51:57 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Ted X Toth 2008-06-06 10:15:02 EDT
gnome-screensaver launches gnome-screensaver-dialog which uses pam to
reauthenticate the user. However since gnome-screensaver-dialog is run as the
user and not root it can't audit. In SELinux enforcing the audit failure causes
an authentication failure which means the user can not log back in through the
screen saver dialog.
Comment 4 Ray Strode [halfline] 2008-06-06 10:41:17 EDT
gnome-screensaver-dialog shouldn't run as root.

pam_unix uses a setuid helper to handle any heavy lifting it needs to do.

If audit is failing, must be a problem with pam_unix i guess.
Comment 5 Tomas Mraz 2008-06-06 11:09:00 EDT
You have to use 'ausearch -i -x unix_chkpwd -sv no' instead. The authentication
and auditing of the authentication attempt is done by unix_chkpwd helper in case
of screensaver and other non-root processes which call pam.
Comment 6 Ted X Toth 2008-06-06 11:29:50 EDT
Instead of what? Here is that AVC that cause the authentication failure when
SELinux is in enforcing mode and the gnome-screensaver-dialog is being used to
reauthenticate. 
type=AVC msg=audit(1212758291.296:156): avc:  denied  { create } for  pid=4079
comm="gnome-screensav" scontext=user_u:user_r:user_t:s0
tcontext=user_u:user_r:user_t:s0 tclass=netlink_audit_socket

Should I open a new bug?
Comment 7 Ted X Toth 2008-06-06 11:41:09 EDT
Also in /var/log/secure I get:
Jun  5 10:34:04 localhost gnome-screensaver-dialog: PAM audit_open() failed:
Permission denied
Comment 8 Ray Strode [halfline] 2008-06-06 13:26:39 EDT
So Tomas was answering comment 0.  You're issue is slightly different, so might
be better to open a new bug against pam.

Note You need to log in before you can comment on or make changes to this bug.