Bug 563208 - ausearch fails to parse PAM messages
Summary: ausearch fails to parse PAM messages
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam
Version: 4.9
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks: 596379
TreeView+ depends on / blocked
 
Reported: 2010-02-09 15:15 UTC by Olivier Fourdan
Modified: 2018-10-27 14:56 UTC (History)
7 users (show)

Fixed In Version: pam-0.77-66.28.el4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-14 20:58:28 UTC
Target Upstream Version:


Attachments (Terms of Use)
Proposed patch (1.05 KB, patch)
2010-02-09 15:15 UTC, Olivier Fourdan
no flags Details | Diff

Description Olivier Fourdan 2010-02-09 15:15:23 UTC
Created attachment 389772 [details]
Proposed patch

Description of problem:

This bug is a follow-up of bug 510478 reported for audit.

audit-1.0.15 introduced a change to interpret data withing the "msg=" filed
that breaks with some messages, when the result string contains a space.

However, it appears that the result string should not contain a space in the first place, so the root of the problem is in pam and not in audit.

Version-Release number of selected component (if applicable):

pam-0.77-66.26.el4_8.1
audit-1.0.16-4.el4_8.1

How reproducible:

Always

Steps to Reproduce:
1. Install audit 1.0.16 on el4
2. Try to ssh to the system with a wrong passwd to generate a PAM
authentication failure
3. ausearch -i -m USER_AUTH

Actual results:

----
type=USER_AUTH msg=audit(07/09/2009 00:37:22.787:13) : user pid=5098 uid=root 
auid=unset msg='PAM authentication: user=ofourdan exe=/usr/sbin/sshd 
(hostname=localhost.localdomain  addr=127.0.0.1  terminal=ssh 
result=Authentication 
----

(Notice that the line is truncated, it's missing " failure)'"

Expected results:

----
type=USER_AUTH msg=audit(07/09/2009 00:37:22.787:13) : user pid=5098 uid=root 
auid=unset msg='PAM authentication: user=ofourdan exe=/usr/sbin/sshd 
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh 
result=failed)' 
----

Additional info:

The problem comes from a discrepancy between what ausearch expects to parse and what PAM actually logs.

A fix for audit to parse the output containing a space was rejected, so the fix needs to go into PAM.

The proposed patch here attached will log "failed" or "success" instead of the string returned by pam_strerror() which may contain spaces.

This makes PAM behave more like recent versions of PAM (and thus ausearch can parse its output).

The risk I see here is if our customers have implemented customer parsing scripts to check for the original messages (e.g "Authentication failure"), however, I see no simple way to keep such messages from PAM without changing audit, which is not possible.


Note You need to log in before you can comment on or make changes to this bug.