Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-22315

Audit USER_LOGIN entry is not filled correctly for IP and hostname

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-8.9.0
    • openssh
    • Normal
    • sst_security_crypto
    • ssg_security
    • False
    • Hide

      None

      Show
      None
    • Red Hat Enterprise Linux
    • All

      What were you trying to do that didn't work?

      With UseDNS yes in /etc/ssh/sshd_config, we should see the IP AND hostname in audit entry, but we can see the hostname in addr field and nothing in hostname one:

      type=USER_LOGIN msg=audit(1705941022.588:51526): pid=130703 uid=0 auid=1000 ses=3729 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=? addr=server.localdomain terminal=/dev/pts/1 res=success'UID="root" AUID="user1" ID="user1"

      Please provide the package NVR for which bug is seen:

      openssh-8.0p1-17.el8.x86_64

      How reproducible:

      Always

      Steps to reproduce

      1. configure UseDNS in sshd config
      2.  login with a user
      3. check the audit logs

      Expected results

      • hostname and IP fields correctly filled.

        Actual results

      type=USER_LOGIN msg=audit(1705941022.588:51526): pid=130703 uid=0 auid=1000 ses=3729 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=? addr=server.localdomain terminal=/dev/pts/1 res=success'UID="root" AUID="user1" ID="user1"

      From the source code: The of 3rd argument of linux_audit_user_logxxx  should be the IP:

      linux_audit_user_logxxx(int uid, const char *username, const char *ip, const char *ttyn, int success, int event) ... rc = audit_log_acct_message(audit_fd, event, NULL, "login", username ? username : "(unknown)", username == NULL ? uid : -1, NULL, ip, ttyn, success);

      But it's hostname in the calling function:

      void
audit_session_open(struct logininfo *li)
{
if (!user_login_count++)
linux_audit_user_logxxx(li->uid, NULL, li->hostname,
li->line, 1, AUDIT_USER_LOGIN);
linux_audit_user_logxxx(li->uid, NULL, li->hostname,
li->line, 1, AUDIT_USER_START);
}

      It's working correctly when running a command:

      void
audit_end_command(struct ssh *ssh, int handle, const char *command)
{
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
ssh_remote_ipaddr(ssh),
"ssh", 1, AUDIT_USER_END);
if (user_login_count && !--user_login_count)
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
ssh_remote_ipaddr(ssh),
"ssh", 1, AUDIT_USER_LOGOUT);
}

      => the 3rd arg is the remote ip:

      type=USER_END msg=audit(1705913619.420:45151): pid=96030 uid=0 auid=1000 ses=3268 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="user1" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'UID="root" AUID="user1"

       

      This is certainly due to the upstream updated linux_audit_record_event function that changed the args:

      linux_audit_record_event(int uid, const char *username, const char *hostname,
    const char *ip, const char *ttyn, int success)

       

            dbelyavs@redhat.com Dmitry Belyavskiy
            rhn-support-bwelterl Benoit Welterlen
            Dmitry Belyavskiy Dmitry Belyavskiy
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: