Skip to content

when using pam authentication all logon failures marked as success#23

Open
amalek215 wants to merge 4 commits intopgaudit:mainfrom
amalek215:pam_auth_fix2
Open

when using pam authentication all logon failures marked as success#23
amalek215 wants to merge 4 commits intopgaudit:mainfrom
amalek215:pam_auth_fix2

Conversation

@amalek215
Copy link
Contributor

@amalek215 amalek215 commented Jul 22, 2021

The issue is when using PAM auth a log msg of level LOG created before the FATAL msg
Pass in the msg and check it to catch this case.

Example logs from csv:

2021-07-22 14:49:47.420 EDT,,,13208,"127.0.0.1:34254",60f9bdcb.3398,1,"",2021-07-22 14:49:47 EDT,,0,LOG,00000,"connection received: host=127.0.0.1 port=34254",,,,,,,,,""
2021-07-22 14:49:48.938 EDT,"XXXXX","pgaudit",13208,"127.0.0.1:34254",60f9bdcb.3398,2,"authentication",2021-07-22 14:49:47 EDT,3/843974,0,LOG,00000,"pam_authenticate failed: User not known to the underlying authentication module",,,,,,,,,""
2021-07-22 14:49:48.938 EDT,"XXXXX","pgaudit",13208,"127.0.0.1:34254",60f9bdcb.3398,3,"authentication",2021-07-22 14:49:47 EDT,3/843974,0,FATAL,28000,"PAM authentication failed for user ""XXXXX""","Connection matched pg_hba.conf line 90: ""host    all             all             127.0.0.1/32            pam""",,,,,,,,""

@dwsteele dwsteele self-requested a review July 26, 2021 12:37
@dwsteele dwsteele self-assigned this Jul 26, 2021
@dwsteele
Copy link
Collaborator

dwsteele commented Jul 26, 2021

It is not clear to me why this change is needed. Why is the FATAL not enough? Is it just that you want the PAM message to be logged as an error, or is something not working as expected?

@amalek215
Copy link
Contributor Author

amalek215 commented Jul 26, 2021

The issue is it is incorrectly recording a successful authentication in the logon table and incorrectly not logging an error in the session table for pam failures.

FATAL would be enough if PAM did not create a msg LOG right before the FATAL msg.

Here are 2 sample table excerpts for when authentication failed using pam:

 pgaudit.logon 
                            user_name                            | last_success |    current_success     | last_failure | failures_since_last_success
-----------------------------------------------------------------+--------------+------------------------+--------------+-----------------------------
 ############################################################### |              | 2021-07-20 04:42:04-04 |              |                           0
 conda activate base                                             |              | 2021-07-21 13:15:35-04 |              |                           0
(2 rows)

  pgaudit.session 
    session_id    | process_id |   session_start_time   |                            user_name                            | application_name |    connection_from    | state
------------------+------------+------------------------+-----------------------------------------------------------------+------------------+-----------------------+-------
 60f68c5c.1382    |       4994 | 2021-07-20 04:42:04-04 | ############################################################### | [unknown]        |  REMOVED              | ok
 60f85637.33b66   |     211814 | 2021-07-21 13:15:35-04 | conda activate base                                             | [unknown]        | REMOVED                | ok
(2 rows)

Below is one example from the csv log:

2021-07-21 13:15:37.304 EDT,"conda activate base","xxxx",211814,"REMOVED",60f85637.33b66,2,"authentication",2021-07-21 13:15:35 EDT,10/1940967,0,LOG,00000,"pam_authenticate failed: User not known to the underlying authentication module",,,,,,,,,""
2021-07-21 13:15:37.304 EDT,"conda activate base","xxxx",211814,"REMOVED",60f85637.33b66,3,"authentication",2021-07-21 13:15:35 EDT,10/1940967,0,FATAL,28000,"PAM authentication failed for user ""conda activate base""","Connection matched pg_hba.conf line 128:```

@amalek215
Copy link
Contributor Author

amalek215 commented Jun 23, 2023

Generalized the check for detecting authentication LOG messages that can precede a FATAL authentication message.
Added another PAM message and an ident message that are labeled as LOG but indicate an authentication error.

Below are example csv log entries of 3 error messages accounted for in this PR

2023-06-23 14:01:00.956 EDT,,,25987,"10.150.20.18:50840",6495dddc.6583,1,"",2023-06-23 14:01:00 EDT,,0,LOG,00000,"connection received: host=10.150.20.18 port=50840",,,,,,,,,"","not initialized",,0
2023-06-23 14:01:01.217 EDT,"amalek","test",25987,"10.150.20.18:50840",6495dddc.6583,2,"authentication",2023-06-23 14:01:00 EDT,22/235732,0,LOG,00000,"pam_authenticate failed: Authentication failure",,,,,,,,,"","client backend",,-8259055824528607182
2023-06-23 14:01:01.217 EDT,"amalek","test",25987,"10.150.20.18:50840",6495dddc.6583,3,"authentication",2023-06-23 14:01:00 EDT,22/235732,0,FATAL,28000,"PAM authentication failed for user ""amalek""","Connection matched pg_hba.conf line 148: ""hostssl test             all             0.0.0.0/0         pam""",,,,,,,,"","client backend",,-8259055824528607182

2023-06-23 14:02:02.079 EDT,,,66217,"10.150.20.18:50834",6495de1a.102a9,1,"",2023-06-23 14:02:02 EDT,,0,LOG,00000,"connection received: host=10.150.20.18 port=50834",,,,,,,,,"","not initialized",,0
2023-06-23 14:02:02.362 EDT,"amalek","test",66217,"10.150.20.18:50834",6495de1a.102a9,2,"authentication",2023-06-23 14:02:02 EDT,22/235737,0,LOG,00000,"error from underlying PAM layer: /usr/local/sbin/duo_sentinel failed: exit code 1",,,,,,,,,"","client backend",,0
2023-06-23 14:05:01.257 EDT,"amalek","test",66217,"10.150.20.18:50834",6495de1a.102a9,3,"authentication",2023-06-23 14:02:02 EDT,22/235737,0,LOG,00000,"pam_authenticate failed: Have exhausted maximum number of retries for service",,,,,,,,,"","client backend",,0
2023-06-23 14:05:01.257 EDT,"amalek","test",66217,"10.150.20.18:50834",6495de1a.102a9,4,"authentication",2023-06-23 14:02:02 EDT,22/235737,0,FATAL,57014,"canceling authentication due to timeout",,,,,,,,,"","client backend",,0

2023-06-23 14:30:02.620 EDT,,,63188,"192.168.9.252:47784",6495e4aa.f6d4,1,"",2023-06-23 14:30:02 EDT,,0,LOG,00000,"connection received: host=192.168.9.252 port=47784",,,,,,,,,"","not initialized",,0
2023-06-23 14:30:02.645 EDT,"amalek","test",63188,"192.168.9.252:47784",6495e4aa.f6d4,2,"authentication",2023-06-23 14:30:02 EDT,35/268140,0,LOG,XX000,"could not connect to Ident server at address ""192.168.9.252"", port 113: Connection refused",,,,,,,,,"","client backend",,-1059774696014560043
2023-06-23 14:30:02.645 EDT,"amalek","test",63188,"192.168.9.252:47784",6495e4aa.f6d4,3,"authentication",2023-06-23 14:30:02 EDT,35/268140,0,FATAL,28000,"Ident authentication failed for user ""amalek""","Connection matched pg_hba.conf line 144: ""hostssl test    all                                 192.168.8.0/21 ident""",,,,,,,,"","client backend",,-1059774696014560043

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dwsteele dwsteele Awaiting requested review from dwsteele

Assignees

@dwsteele dwsteele

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amalek215 @dwsteele