Red Hat Bugzilla – Bug 470269
gdm is not sending USER_END audit events
Last modified: 2015-01-14 18:21:58 EST
Description of problem:
The gdm-session-worker program is not sending USER_END audit events. This should be done whenever it calls pam_session_close. These events are required in order to mark the end of a user login in the audit logs.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. login, wait a few minutes, log out
2. ausearch --start today -m USER_START -x gdm
3. ausearch --start today -m USER_END -x gdm
You will see an event for USER_START, but none for USER_END.
This is in rawhide, F-10, and F-9. All 3 branches need to be fixed.
Created attachment 322811 [details]
Here is a patch.
I haven't logged out and restarted gdm yet, so it isn't tested
seems to work fine in brief testing.
Matthias, thanks for looking at this.
I'm not asking about AUDIT_USER_LOGOUT events, its the AUDIT_USER_END events. (I haven't had to add USER_LOGOUT events anywhere since USER_END serves that purpose.) These events are sent by pam whenever pam_session_close is called. What this seems to be indicating is that pam_session_close is not being called or its being called with user rather than root privileges. pam_session_close should be called with root privs in case it has to call umount or do other privileged ops. Another possibility could be a race where the gdm session worker is killed before it can finish pam_session_close? Thanks.
AUDIT_USER_LOGOUT events, its the AUDIT_USER_END events
good to have a choice in the headers, I guess :-)
Maybe http://bugzilla.gnome.org/show_bug.cgi?id=557794 is related, then ?
Created attachment 322874 [details]
reordering the setcred and close calls seems to give me USER_END events in the audit log.
I've built gdm-2.24.0-12.fc10 with this patch
Also committed upstream
Thanks for the quick work. But...I downloaded from koji (2.24.0-12) and rebooted twice. I am not seeing USER_END events. I looked in /var/log/secure and could only see pam_unix(gdm:session) session opened messages. So, pam_session_close is not getting called since syslog does not have permission requirements like the audit system does.
I might dig into the source code to see under what conditions the session close is not called. If I'm not seeing them and you are, then there is either a race killing the worker before its done or it takes a different code path in my system.
I'm seeing things like
time->Fri Nov 7 12:43:27 2008
type=USER_END msg=audit(1226079807.942:1433): user pid=18666 uid=0 auid=500 ses=10 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="mclasen" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
in ausearch -m USER_END output.
I assume that is what you are looking for ?
Yes, that is what I am looking for. But I'm not seeing it. /var/log/secure doesn't show it, and /var/log/gdm/:0-slave.log only shows pam session opens. I've turned on debug and can see GdmServer: child (pid:xxxx) done (signal:6) in :1 through :5, but not :0. Signal 6 is an abort...could it be that the dbus call right before calling pam_close_session is aborting and taking down gdm in an unclean manner? How would I find out?
Placing back in assigned since USER_END events are still missing. My theory is that dbus is aborting without running pam_close_session. Could the order of calling dbus and closing pam be switched? Or does dbus still need access to the user's homedir? (It could disappear if pam open session mounted the user homedir.)
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.
More information and reason for this action is here:
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '10'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 10's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 10 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.