-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.5
-
openssh-8.7p1-40.el9
-
None
-
Moderate
-
1
-
rhel-sst-security-crypto
-
ssg_security
-
17
-
1.5
-
False
-
-
No
-
Red Hat Enterprise Linux
-
Crypto24Q2
-
-
Pass
-
Not Needed
-
Automated
-
Release Note Not Required
-
-
All
-
None
What were you trying to do that didn't work?
With UseDNS yes in /etc/ssh/sshd_config, we should see the IP AND hostname in audit entry, but we can see the hostname in addr field and nothing in hostname one:
type=USER_LOGIN msg=audit(1705941022.588:51526): pid=130703 uid=0 auid=1000 ses=3729 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=? addr=server.localdomain terminal=/dev/pts/1 res=success'UID="root" AUID="user1" ID="user1"
Please provide the package NVR for which bug is seen:
openssh-8.7p1-34.el9.x86_64
How reproducible:
Always
Steps to reproduce
- configure UseDNS in sshd config
- login with a user
- check the audit logs
Expected results
type=USER_LOGIN msg=audit(1705941022.588:51526): pid=130703 uid=0 auid=1000 ses=3729 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=? addr=server.localdomain terminal=/dev/pts/1 res=success'UID="root" AUID="user1" ID="user1"
From the source code: The of 3rd argument of linux_audit_user_logxxx should be the IP:
linux_audit_user_logxxx(int uid, const char *username, const char *ip, const char *ttyn, int success, int event) ... rc = audit_log_acct_message(audit_fd, event, NULL, "login", username ? username : "(unknown)", username == NULL ? uid : -1, NULL, ip, ttyn, success);
But it's hostname in the calling function:
void
audit_session_open(struct logininfo *li)
{
if (!user_login_count++)
linux_audit_user_logxxx(li->uid, NULL, li->hostname,
li->line, 1, AUDIT_USER_LOGIN);
linux_audit_user_logxxx(li->uid, NULL, li->hostname,
li->line, 1, AUDIT_USER_START);
}
It's working correctly when running a command:
void audit_end_command(struct ssh *ssh, int handle, const char *command) { linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ssh_remote_ipaddr(ssh), "ssh", 1, AUDIT_USER_END); if (user_login_count && !--user_login_count) linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ssh_remote_ipaddr(ssh), "ssh", 1, AUDIT_USER_LOGOUT); }
=> the 3rd arg is the remote ip:
type=USER_END msg=audit(1705913619.420:45151): pid=96030 uid=0 auid=1000 ses=3268 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="user1" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'UID="root" AUID="user1"
This is certainly due to the upstream updated linux_audit_record_event function that changed the args:
linux_audit_record_event(int uid, const char *username, const char *hostname, const char *ip, const char *ttyn, int success)
- clones
-
-
- Closed
-
- links to
-
RHBA-2024:132940
openssh update
